Feature

Under regulations adopted bythe Department of Health and Human Services (HHS) that enforce the Health Insurance Portability and Accountability Act (HIPAA) and made effective March 16, fines of up to $100 per violation, accumulating to a maximum of $25,000 over one year's time can be levied for HIPAA violations.

Called the Enforcement Rule, the regulations establish how HHS regulators will determine liability and calculate fines for health-care providers found to have violated any of the HIPAA rules following an investigation and administrative hearing. Privacy complaints are investigated by regulators from the HHS Office for Civil Rights.

"Psychologists need to be aware that the agency now has clear guidelines on how it's going to enforce HIPAA and what the penalties are if you don't comply," says Alan Nessman, JD, special counsel for legal and regulatory affairs in APA's Practice Directorate.

Reducing costs, protecting privacy

Congress enacted HIPAA in 1996 in part to create national standards for moving health-care record-keeping and health insurance claims-processing from paper to an electronic format and to reduce the administrative portion of health-care costs.

Periodically issued since the law was passed, HIPAA's three main rules include the:

  • Security Rule--details what health-care providers need to do to prevent the unintended release or destruction of electronic patient information and to physically safeguard such records.

  • Privacy Rule--governs how psychologists intentionally disclose protected information to others, including patients, insurance companies and other providers.

  • Transaction Rule--standardizes the electronic format for health-care transactions.

HIPAA coverage, complaint origination

HIPAA's rules apply to health-care professionals whose activities trigger the law, such as a psychologist who transmits protected health-care information electronically when submitting health-care claims.

The Enforcement Rule explains that a HIPAA investigation can stem from a complaint made by a patient or other health-care providers. HHS can review a provider's records for HIPAA compliance without a complaint, Nessman says.

According to HHS statistics, almost 19,000 HIPAA privacy compliance complaints had been filed as of March 31, with 72 percent of those cases resolved or otherwise closed. The agency started accepting complaints in April 2003, and so far, private health-care practices rank first in generating complaints.

The allegation most frequently raised is the impermissable use or disclosure of an individual's indentifiable health information.

The rule explains that besides being liable for their own actions, health-care providers can be liable for HIPAA violations from the actions of people working under their direction, including paid employees, trainees and volunteers.

Liability under HIPAA can also stem from the actions of business associates--billing services or accountants, for example--with whom protected health information is shared as part of running a practice.

As an exception to that rule, a health-care provider is not liable if it already has "business associate contracts" in place complying with the privacy and security rules.

The first approach of federal officials handling violations will be getting health-care providers to voluntarily correct problems, according to the Enforcement Rule.

If HHS decides to fine a provider, one potential defense is to show that the provider made reasonably diligent efforts to comply with all the HIPAA rules and did not know he or she was in violation, Nessman says. He stresses that reasonably diligent efforts must include actually taking steps to understand and comply with HIPAA rules, and that merely stating that one did not know he or she was in violation would not be an adequate defense.

The Enforcement Rule makes it clear that not complying with the rules because the provider didn't think HHS would enforce them is not a defense, he says.

Further Reading

The Enforcement Rule is available at www.hhs.gov/ocr/hipaa/FinalEnforcementRule06.pdf.

Legal issues are complex and highly fact-specific and laws change over time. The information in this article should not be used as a substitute for obtaining personal legal advice and consultation prior to making decisions regarding individual circumstances.