Health Insurance Portability and Accountability Act

Attorney Thom Goolsby stopped by Carolina in the Morning to answer questions about the Health Insurance Portability and Accountability Act (HIPPA)

1. What is HIPAA, and what does it do?

In August 2002, the U.S. Department of Health and Human Services revised the December 2000 rule that implements the privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Under the Rule, new requirements will be placed on health care providers (covered entities.)  Among them is that, with limited exceptions, covered entities must receive written, explicit authorization from an individual to use or disclose protected health information for marketing or fundraising.

2. What information is protected?

Personally identifiable health information held or disclosed by a covered entity in any form including orally, written and electronically.  This includes: Name, Specific dates - birth, admission, discharge, death; telephone number; social Security number, medical record number; photographs; city, zip code, and other geographic identifiers.

3. What are "covered entities"?

Health plans -- HMOs, insurers, Medicare and Medicaid; Health care clearinghouses - billing services, repricing companies, community health management information systems and "value added" networks and switches; and Health care providers - medical or health service provider and any other person or organization who furnishes, bills, or is paid for health care in electronic form (e.g., insurers, physicians, hospitals, labs and pharmacies).

4. Under HIPAA, covered entities must obtain written permission from individuals - by way of a signed authorization form - before they use or share health-related information for marketing and certain other purposes. What is an authorization form?

An authorization form is a written permission from the patients that allows use or disclosure of their protected health information for purposes other than treatment, payment or health care operations.

5. Can health care providers and health plans condition treatment/ service on obtaining authorization?

No.  Providers and health plans may not condition treatment, enrollment in a health plan, benefits eligibility, or payment on obtaining patient authorization.

6. What are the patient's rights under HIPAA?

Under HIPAA, patients have the right to:

  • Receive a privacy notice to inform them about how protected information will be used and disclosed;
  • Request that uses and disclosure of protected information be restricted (covered entities are not required to always agree to restrictions);
  • Inspect, copy and amend their medical records (providers are allowed to charge a reasonable fee for copying expenses);
  • Get an accounting of the disclosure of their protected information for the past six years
  • File a complaint.

7. Can individuals bring a private cause of action against a covered entity?

No.  A private cause of action is not authorized by the Rule.

8. Are there other actions an individual can take to file a complaint against a covered entity's failure to comply with the regulation?

Yes, individuals can file a complaint against covered entities that they believe have not complied with the regulation.  The complaint should be filed with the U.S. Department of Health and Human Services (DHHS).

9. What enforcement regulations and punishments are created by the Rule?

DHHS' Office of Civil Rights (OCR) is the governmental body that has the enforcement responsibility.  Violators can be sentenced for up to 10 years in prison and fined up to $250,000 in criminal penalties for failure to comply.  In addition, civil penalties can be imposed that include $100 per violation and up to $25,000 per person, per year for each violation.