Newsletter Archives The Campaign Tool Chest
Home Auctions By State Campaigner's Bookstore

 
 
 Need a Lawyer?

LegalMatch allows you to present your case, and respond only to expert lawyers who want to help you with:

Criminal Law

Employment Law

Family Law

Divorce

Family Law

File or Avoid Bankruptcy

Business Law

Immigration Law

Seal or Expunge Your Criminal Records

 It's Free & Confidential!

 
 
Related Articles

Mexico’s Top Crime Family Trafficking in U.S. Identities

 

ROUNDING UP MEXICO'S MOST WANTED

 

FBI's Most Wanted Violent Criminals Are Not Americas

 
 
 

Get the newsletter

 
Fighting Crime
HIPAA Enforcement Heats Up In 2008

CMS Audits, Court Rulings & New Regulations Up The Risks  

The content of this Alert is for informational purposes and not intended as legal advice.
 

Since the enactment of the HIPAA Privacy rule over 5 years ago and the enactment of the Security rule  over 3 years ago, a great deal of discussion has focused on the topic of "HIPAA enforcement".  In fact, the amount of discussion has far outpaced the level of enforcement.  There has been so little enforcement (up until now); that even mentioning enforcement in a crowd causes apathetic yawns from some listeners 

 

However, the times are changing and any entity that is subject to HIPAA should take notice.  Although there have been numerous HIPAA enforcement warnings, two recent developments should not be ignored. 

 

First, CMS or the Centers for Medicare and Medicaid recently entered into a year long contract with Pricewaterhouse Cooper (PwC) to conduct nation-wide security audits of covered entities (CE's). 

 

The CMS contract may allow PwC to audit for the following issues among others:

  • Information access management
  • Security awareness and training
  • Access control
  • Workstation use
  • Device and media controls

A very important issue related to the CMS action is that the HIPAA Security rule audits also mean that CE's must be compliant with the Privacy rule. 

 

For example, the Security rule states that CE's (healthcare providers, insurers - including educational institutions, state, local, and federal governmental agencies, that provide healthcare services or health insurance) must "protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part," citing the Privacy rule at 45 CFR § 164.306 (a) (3). 

 

In other words, the Security rule mandates compliance with the Privacy rule!   Furthermore, the list of the governmental organizations currently enforcing HIPAA includes:

  • The Office of Inspector General (OIG) - auditing healthcare providers (Piedmont Hospital in Atlanta was one of the first and more audits are pending)
  • The Department of Justice (DOJ) - prosecuting and incarcerating non-healthcare providers for violating HIPAA (multiple prosecutions and several incarcerated)
  • The Centers for Medicare and Medicaid (CMS) - conducting nationwide audits on HIPAA using PwC (first set of target entities has been identified)
  • The Federal Department of Health and Human Services (DHHS) - currently assembling a Privacy enforcement team. 

In another major enforcement development, the civil litigation arena has seen both federal and state level courts allowing individuals to bring negligence lawsuits by using HIPAA as a "standard of care" for justifying the lawsuit. 

 

And, as if this increase in enforcement activity is not enough to motivate CE's to begin to take compliance seriously, specific legislation has been proposed in the U.S. Senate to strengthen enforcement.  The legislation is called "HIPSA" or the Health Information Privacy and Security Act. 

HIPSA is focused on the protection of individual privacy rights, national security, intelligence and fighting identity theft related to medical information.  The following summary shows how HIPSA would function if it is enacted. 

HIPSA would NOT supersede or overturn HIPAA, but would amend and assist in enforcing HIPAA.

HIPSA would mandate internal audits on the Privacy and Security rules and the creation of Risk Management processes and procedures to ensure compliance by all organizations that handle PHI.
 
HIPSA would re-enforce the application of HIPAA to schools, universities, and governmental organizations while broadening the impact of laws protecting medical information to all types of entities that deal with PHI beyond those to which the federal courts have currently applied HIPAA.
 
HIPSA would increase the criminal liability, i.e., fines and jail time beyond those found in HIPAA.
 
HIPSA would provide for the "debarment" of all types of organizations, including governmental, health care providers, insurers, employers, schools, and universities, for criminal violations of laws designed to protect PHI; in other words, organizations will no longer be able to receive any benefits under any Federal health program or other Federal procurement program.  Finally, covered entities may also be prohibited from doing business with any organizations that conducts business with the Federal government.
 
HIPSA would allow individuals to sue directly on the federal level for compensatory and punitive damages for knowing or negligent violations relating to the individual's right to privacy in medical information.  In addition, it would make the covered entity or a "principal" jointly and severally liable with the principal's "agent" for these types of damages for any actions of the principal's agent acting within the scope of the agency.
 
HIPSA would allow for enforcement by State Attorney Generals or local law enforcement agencies able to prosecute consumer protection laws, to bring a civil actions in the Federal District Court to "obtain civil penalties of not more than $1,000 per day per individual whose personally identifiable information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, up to a maximum of $50,000 per day".
 
HIPSA would protect employees against employers that "discharge, demote, suspend, threaten, harass, retaliate against, or in any other manner discriminate or cause any employer to discriminate against an employee," that blows the whistle against the employer for violations of the HIPSA Act.
 

In summary, HIPAA / HIPSA enforcement is not going away.  "Band-Aid compliance" efforts, i.e., using canned policies and procedures without taking any real compliance actions or relying on "inaccurate advice" from naysayers who believe that the privacy regulations are inconsequential may backfire on organizations that don't take steps towards real compliance. 


 
Vote for this article

Send this article to a friend

Get the newsletter

   
       

 

 


Privacy Statement

 

  

 

Privacy Policy