When the federal government enacts a consumer protection law, it can mandate that states provide at least the same standard of protection. When Congress passed the Health Insurance Portability and Accountability Act of 1996, it provided that states could offer greater protection in the area of health records privacy, but not less.
Alabama opted not to enact state laws granting patients more protection in this area. Therefore, the federal law provides the only protection for individuals in Alabama, as it does in all other states.
What Is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that established national standards to safeguard sensitive patient health information from public disclosure, unless a patient is informed about the disclosure and consents to it. Until then, privacy rules varied significantly among the states, with some states prohibiting disclosure absent consent.
The result was the HIPAA Privacy Rule, issued by the U.S. Department of Health and Human Services. A second rule, termed the Security Rule, offers further protection for some information.
HIPAA Prohibits Disclosure of Protected Health Information
HIPAA targets disclosure and use of a patient’s health records. The intention of the law was to ensure privacy and security of sensitive records, as well as securing insurance coverage mobility when a worker changes employment. An underlying goal of the Privacy Rule was to establish a balance between a person's privacy rights, and the needs of health care providers and the public. The rule ensures that a person's health information is adequately protected while still permitting sufficient information to be exchanged to promote high quality health care.
The HIPAA Privacy Rule prohibits certain entities (covered entities) from disclosing any patient information without the patient's consent other than for important issues like health treatment or payment. This law sets a minimum standard for every state, while permitting states to enact even stronger privacy protections for health records. In this way, it is similar to the federal minimum wage, setting a base nationwide minimum wage that states can increase within their borders, but not decrease.
What Are Covered Entities?
The HIPAA Privacy Rule applies only to covered entities described in the rule. These are largely health plans and their business associates, including individuals employed by the health plan who require a patient's health information. Most health care clearinghouses are also covered under HIPAA, as are health care providers.
Specifically, the Privacy Rule covers every health care provider, big or small, if the provider electronically transmits health information in connection with specified transactions including claims, referral authorizations, benefit eligibility inquiries and referral authorization requests. Health plans are covered if they provide medical care to the patient or pay for that medical care.
Covered entity plans include health plans, dental plans, vision plans and plans providing prescription coverage. They also include Medicare, Medicaid, Medicare+Choice, Medicare supplemental insurers and health maintenance organizations (HMOs). Group health plans established and administered by an employer are covered unless the plan has fewer than 50 participants. A health plan's business associates do not include their workforce, but rather anyone using identifiable health information to do claims processing, data analysis, billing or similar services for a covered entity.
What Information Is Protected?
When it comes to covered entities, the law's protections apply to all health information that the entity communicates or transmits. The covered communication can be oral, written or electronic. All information about the patient's mental health, their health care services or payment information is protected.
When Is Disclosure Permitted?
Under some circumstances, the covered entity is allowed to disclose an individuals medical information protected under HIPAA without the patient's authorization. They are not required to do so, but are permitted to, in these circumstances:
- When required for health care operations, including treatment and payment.
- When a patient is given an opportunity to object to the disclosure of PHI and does not.
- When the disclosure is incidental to a permitted use and disclosure.
- When the information is required to be produced by law or needed for law enforcement.
- When necessary for public health activities.
- When necessary for workers' compensation purposes.
- When necessary for identifying deceased individuals.
- For organ, eye or tissue donations after death.
- For some types of research.
Types of HIPAA Violations
There are literally hundreds of ways that covered entities can violate HIPAA regulations. Anyone who can access an individual's protected health data must undergo rigorous HIPAA training to avoid violating the law.
Three types of HIPAA violations are most common, however. They are:
- Accessing protected healthcare records of family members, friends or acquaintances is far more common than one might think. If this violation is discovered, the person may face job termination and financial penalties.
- Losing company electronic devices or failing to encrypt company electronic devices. This violation is usually accidental, but it can be judged negligent depending on the circumstances, and could cost the employee their job.
- Failing to teach employees about HIPAA and keep them updated as regulations change. Employee HIPAA training is a requirement of the federal law.
While this short list might not seem to be of major concern, it should be. That's because even civil HIPAA violation penalties can be severe.
Penalties for HIPAA Violations
While covered entities can be fined, individual employees can also be fined. If the violation occurred without malicious intent, due to negligence or lack of information about the rules, fines run from $100 to $1,000. If the person acted with intentional neglect, but repaired the damage later, the fine is at least $10,000. If the person did not repair the issue, the fine can be $50,000 for each issue, and if the individual acted with malicious intent, criminal penalties can apply.
Teo Spengler earned a J.D. from U.C. Berkeley's Boalt Hall. As an Assistant Attorney General in Juneau, she practiced before the Alaska Supreme Court and the U.S. Supreme Court before opening a plaintiff's personal injury practice in San Francisco. She holds both an M.A. and an M.F.A in creative writing and enjoys writing legal blogs and articles. Her work has appeared in numerous online publications including USA Today, Legal Zoom, eHow Business, Livestrong, SF Gate, Go Banking Rates, Arizona Central, Houston Chronicle, Navy Federal Credit Union, Pearson, Quicken.com, TurboTax.com, and numerous attorney websites. Spengler splits her time between the French Basque Country and Northern California.