With respect to the Act itself, some penalties include as to Section 1176:7 "(a) OFFENSE.--A person who knowingly and in violation of this part--"(1) uses or causes to be used a unique health identifier; "(2) obtains individually identifiable health information relating to an individual; or "(3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b). b) PENALTIES.--A person described in subsection (a) shall--"(1) be fined not more than $50,000, imprisoned not more than 1 year, or both; "(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and "(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.
As attorneys are involved in obtaining medical records and advising clients, here are:
Some questions and answers from the U.S. Department of Health and Human Services8
Q. Can a patient have a friend or family member pick up a prescription for her?
A. Yes. A pharmacist may use professional judgment and experience with common practice to make reasonable inferences of the patient's best interest in allowing a person, other that the patient, to pick up a prescription. See 45 CFR 164.510(b). For example, the fact that a relative or friend arrives at a pharmacy and asks to pick up a specific prescription for an individual effectively verifies that he or she is involved in the individual's care, and the HIPAA Privacy Rule allows the pharmacist to give the filled prescription to the relative or friend. The individual does not need to provide the pharmacist with the names of such persons in advance.
Q. If I believe that my privacy rights have been violated, when can I submit a complaint?
A. By law, health care providers (including doctors and hospitals) who engage in certain electronic transactions, health plans, and health care clearinghouses, (collectively, "covered entities") have until April 14, 2003, to comply with the HIPAA Privacy Rule. (Small health plans have until April 14, 2004, to comply). Activities occurring before April 14, 2003, are not subject to the Office for Civil Rights (OCR) enforcement actions. After that date, a person who believes a covered entity is not complying with a requirement of the Privacy Rule may file with OCR a written complaint, either on paper or electronically. This complaint must be filed within 180 days of when the complainant knew or should have known that the act had occurred. The Secretary may waive this 180-day time limit if good cause is shown. See 45 CFR 160.306 and 164.534. OCR will provide further information on its web site about how to file a complaint (www.hhs.gov/ocr/hipaa/).
In addition, after the compliance dates above, individuals have a right to file a complaint directly with the covered entity. Individuals should refer to the covered entity's notice of privacy practices for more information about how to file a complaint with the covered entity.
Q. Are appointment reminders allowed under the HIPAA Privacy Rule without authorizations?
A. Yes, appointment reminders are considered part of treatment of an individual and, therefore, can be made without an authorization.
Q. How do I know if a State law is "more stringent" than the HIPAA Privacy Rule?
A. In general, a State law is "more stringent" than the HIPAA Privacy Rule if it relates to the privacy of individually identifiable health information and provides greater privacy protections for individuals' identifiable health information, or greater rights to individuals with respect to that information, than the Privacy Rule does. See the definition of "more stringent" at 45 C.F.R. 160.202 for the specific criteria. For example, a State law that provides individuals with a right to inspect and obtain a copy of their medical records in a more timely manner than the Privacy Rule is "more stringent" than the Privacy Rule.
In the unusual case where a more stringent provision of State law is contrary to a provision of the Privacy Rule, the Privacy Rule provides an exception to preemption for the more stringent provision of State law, and the State law prevails. Where the more stringent State law and Privacy Rule are not contrary, covered entities must comply with both laws.
See 45 C.F.R. Part 160, Subpart B, for specific requirements related to preemption of State law. An unofficial version of the Privacy Rule and the preemption requirements may be accessed at <http://www.hhs.gov/ocr/
combinedregtext.pdf>.
Q. Does the HIPAA Privacy Rule's public health provision permit covered health care providers to disclose protected health information concerning the findings of pre-employment physicals, drug tests, or fitness-for-duty examinations to an individual's employer?
A. The public health provision permits covered health care providers to disclose an individual's protected health information to the individual's employer without authorization in very limited circumstances. First, the covered health care provider must provide the health care service to the individual at the request of the individual's employer or as a member of the employer's workforce. Second, the health care service provided must relate to the medical surveillance of the workplace or an evaluation to determine whether the individual has a work-related illness or injury. Third, the employer must have a duty under the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA), or the requirements of a similar State law, to keep records on or act on such information. For example, OSHA requires employers to monitor employees' exposures to certain substances and to take specific actions when an employee's exposure level exceeds a specified limit. A covered entity which tests an individual for such an exposure level at the request of the individual's employer may disclose that test result to the employer without authorization.
Q. If someone has health care power of attorney for an individual, can they obtain access to that individual's medical record?
A. Yes, an individual that has been given a health care power of attorney will have the right to access the medical records of the individual related to such representation to the extent permitted by the HIPAA Privacy Rule at 45 CFR 164.524. However, when a physician or other covered entity reasonably believes that an individual, including an unemancipated minor, has been or may be subjected to domestic violence, abuse or neglect by the personal representative, or that treating a person as an individual's personal representative could endanger the individual, the covered entity may choose not to treat that person as the individual's personal representative, if in the exercise of professional judgment, doing so would not be in the best interests of the individual.
Q. Can the personal representative of an adult or emancipated minor obtain access to the individual's medical record?
A. The HIPAA Privacy Rule treats an adult or emancipated minor's personal representative as the individual for purposes of the Rule regarding the health care matters that relate to the representation, including the right of access under 45 CFR 164.524. The scope of access will depend on the authority granted to the personal representative by other law. If the personal representative is authorized to make health care decisions, generally, then the personal representative may have access to the individual's protected health information regarding health care in general. On the other hand, if the authority is limited, the personal representative may have access only to protected health information that may be relevant to making decisions within the personal representative's authority. For example, if a personal representative's authority is limited to authorizing artificial life support, then the personal representative's access to protected health information is limited to that information which may be relevant to decisions about artificial life support.
Q. Will this HIPAA Privacy Rule make it easier for police and law enforcement agencies to get my medical information?
A. No. The Rule does not expand current law enforcement access to individually identifiable health information. In fact, it limits access to a greater degree than currently exists, since the Rule establishes new procedures and safeguards that restrict the circumstances under which a covered entity may give such information to law enforcement officers.
For example, the Rule limits the type of information that covered entities may disclose to law enforcement, absent a warrant or other prior process, when law enforcement is seeking to identify or locate a suspect. It specifically prohibits disclosure of DNA information for this purpose, absent some other legal requirements such as a warrant. Similarly, under most circumstances, the Privacy Rule requires covered entities to obtain permission from persons who have been the victim of domestic violence or abuse before disclosing information about them to law enforcement. In most States, such permission is not required today.
Where State law imposes additional restrictions on disclosure of health information to law enforcement, those State laws continue to apply. This Rule sets a national floor of legal protections; it is not a set of "best practices."
Even in those circumstances when disclosure to law enforcement is permitted by the Rule, the Privacy Rule does not require covered entities to disclose any information. Some other Federal or State law may require a disclosure, and the Privacy Rule does not interfere with the operation of these other laws. However, unless the disclosure is required by some other law, covered entities should use their professional judgment to decide whether to disclose information, reflecting their own policies and ethical principles. In other words, doctors, hospitals, and health plans could continue to follow their own policies to protect privacy in such instances.
Q. May a psychologist continue his practice to notify a parent before treating his or her minor child, even though the minor child is able to consent to such health care under State law?
A. The HIPAA Privacy Rule would defer to State or other applicable law that addresses the disclosure of health information to a parent about a minor child. If the minor child is permitted, under State law, to consent to such health care without the consent of her parent and does consent to such care, the provider may notify the parent when the State law explicitly requires or permits the health provider to do so. If State law permits the minor child to consent to such health care without parental consent, but is silent on parental notification, the provider would need the child's permission to notify a parent.
Q. Can a pharmacist use protected health information to fill a prescription that was telephoned in by a patient's physician without the patient's written consent if the patient is a new patient to the pharmacy?
A. Yes. The pharmacist is using the protected health information for treatment purposes, and the HIPAA Privacy Rule does not require covered entities to obtain an individual's consent prior to using or disclosing protected health information about him or her for treatment, payment, or health care operations.
Q. Does the HIPAA Privacy Rule prevent health plans and providers from using debt collection agencies? Does the Privacy Rule conflict with the Fair Debt Collection Practices Act?
A. The Privacy Rule permits covered entities to continue to use the services of debt collection agencies. Debt collection is recognized as a payment activity within the "payment" definition. See the definition of "payment" at 45 CFR 164.501. Through a business associate arrangement, the covered entity may engage a debt collection agency to perform this function on its behalf. Disclosures to collection agencies are governed by other provisions of the Privacy Rule, such as the business associate and minimum necessary requirements.
The Department is not aware of any conflict between the Privacy Rule and the Fair Debt Collection Practices Act. Where a use or disclosure of protected health information is necessary for the covered entity to fulfill a legal duty, the Privacy Rule would permit such use or disclosure as required by law.
Q. Are hospitals or other health care providers required to provide their notices to patients they treat in an emergency?
A. Hospitals and other covered health care providers with a direct treatment relationship with individuals are not required to provide their notices to patients at the time they are providing emergency treatment. In these situations, the HIPAA Privacy Rule requires only that providers give patients a notice when it is practical to do so after the emergency situation has ended. In addition, where notice is delayed by an emergency treatment situation, the Privacy Rule does not require that providers make a good faith effort to obtain the patient's written acknowledgment of receipt of the notice.
Q. My State law provides greater privacy protections on patients' HIV information than the HIPAA Privacy Rule. Is this more protective State law preempted by the Privacy Rule?
A. No. The Privacy Rule establishes a floor of Federal privacy protections and rights for individuals. If a provision of State law provides greater privacy protection than a provision of the Privacy Rule, and it is possible to comply with both the State law and the Privacy Rule (e.g., where a State law prohibits the disclosure of HIV status while the Privacy Rule permits such disclosure), there is no conflict between the State law and the Privacy Rule, and no preemption.
Q. Does the HIPAA Privacy Rule permit a health care provider to disclose an injured or ill worker's protected health information without his or her authorization when requested for purposes of adjudicating the individual's workers' compensation claim?
A. Covered entities are permitted to disclose protected health information for such purposes as authorized by, and to the extent necessary to comply with, workers' compensation law. See 45 CFR 164.512(l). In addition, the Privacy Rule generally permits covered entities to disclose protected health information in the course of any judicial or administrative proceeding in response to a court order, subpoena, or other lawful process. See 45 CFR 164.512(e).
Q. My State law authorizes health care providers to report suspected child abuse to the State Department of Health and Social Services. Does the HIPAA Privacy Rule preempt this State law?
A. No. The Privacy Rule permits covered health care providers and other covered entities to disclose reports of child abuse or neglect to public health authorities or other appropriate government authorities. See 45 C.F.R. 164.512(b)(1)(ii). Thus, there is no conflict between the State law and the Privacy Rule, and no preemption. Covered entities may report such information and be in compliance with both the State law and the Privacy Rule.
Further, even in the unusual case where a State law that provides for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention is contrary to a provision of the Privacy Rule--that is, it is impossible for a covered entity to comply with both the Privacy Rule and the State law, or the State law is an obstacle to accomplishing the full purposes and objectives of HIPAA's Administrative Simplification provisions--the Administrative Simplification Rules specifically provide an exception to preemption of State law. Thus, if a provision of State law provided for public health surveillance and was contrary to the Privacy Rule, the State law would prevail. Because the Administrative Simplification Rules except such contrary State laws from preemption, it is neither necessary nor appropriate to request a preemption exception determination from the Department of Health and Human Services. See 45 C.F.R. 160.202 for the definition of "contrary" and 45 C.F.R. 160.203 for the general rule and exceptions to preemption. An unofficial version of the Privacy Rule and the preemption requirements may be accessed at <http://www.hhs.gov/ocr/combinedregtext.pdf>.
Q. Does the HIPAA Privacy Rule preempt State laws?
A. The HIPAA Privacy Rule provides a Federal floor of privacy protections for individuals' individually identifiable health information where that information is held by a covered entity or by a business associate of the covered entity. State laws that are contrary to the Privacy Rule are preempted by the Federal requirements, unless a specific exception applies. These exceptions include if the State law (1) relates to the privacy of individually identifiable health information and provides greater privacy protections or privacy rights with respect to such information, (2) provides for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention, or (3) requires certain health plan reporting, such as for management or financial audits. In these circumstances, a covered entity is not required to comply with a contrary provision of the Privacy Rule.
In addition, the Department of Health and Human Services (HHS) may, upon specific request from a State or other entity or person, determine that a provision of State law which is "contrary" to the Federal requirements--as defined by the HIPAA Administrative Simplification Rules --and which meets certain additional criteria, will not be preempted by the Federal requirements. Thus, preemption of a contrary State law will not occur if the Secretary or designated HHS official determines, in response to a request, that one of the following criteria apply: the State law (1) is necessary to prevent fraud and abuse related to the provision of or payment for health care, (2) is necessary to ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation, (3) is necessary for State reporting on health care delivery or costs, (4) is necessary for purposes of serving a compelling public health, safety, or welfare need, and, if a Privacy Rule provision is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or (5) has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled substance by State law.
It is important to recognize that only State laws that are "contrary" to the Federal requirements are eligible for an exemption determination. As defined by the Administrative Simplification Rules, contrary means that it would be impossible for a covered entity to comply with both the State and Federal requirements, or that the provision of State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA.
See 45 C.F.R. Part 160, Subpart B, for specific requirements related to preemption of State law. An unofficial version of the Privacy Rule and the preemption requirements may be accessed at <http://www.hhs.gov/ocr/combinedregtext.pdf>.
Q. If a child receives emergency medical care without a parent's consent, can the parent get all information about the child's treatment and condition?
A. Generally, yes. Even though the parent did not consent to the treatment in this situation, the parent would be the child's personal representative under the HIPAA Privacy Rule. This would not be so when the parent does not have authority to act for the child (e.g., parental rights have been terminated), when expressly prohibited by State or other applicable law, or when the covered entity, in the exercise of professional judgment, believes that providing such information would not be in the best interest of the individual because of a reasonable belief that the individual may be subject to abuse or neglect by the personal representative, or that doing so would otherwise endanger the individual.
Q. Does the HIPAA Privacy Rule protect genetic information?
A. Yes, genetic information is health information protected by the Privacy Rule. Like other health information, to be protected it must meet the definition of protected health information: it must be individually identifiable and maintained by a covered health care provider, health plan, or health care clearinghouse. See 45 C.F.R 160.103 and 164.501.
In general, you can prevent a physician from reporting your treatment to your insurance company, if you want to pay the bill yourself; find out if a friend is in the hospital; or pick up a friends prescription. Your physician can consult other physicians for your treatment; and, very interesting, for the persons consulted, to get information for billing. For a full text of the regulation, see endnote vi. If you first log on to the Internet, by clicking HIPAA in that note, you will go to a PDF file of the entire text.
To reiterate what was stated at the close of the above discussion of "Databases for Medical Records," lawyers should craft a set of instructions and forms for preventing unauthorized access to medical records and for preventing their unauthorized dissemination.
_______________
1. 45 CFR 160 Subtitle A, Subchapter C
§ 164.524 Access of individuals to protected health information.
(a) Standard: access to protected health information.
(1) Right of access. Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for:
2. Sec. 164.534 Compliance dates for initial implementation of the privacy standards.
(a) Health care providers. A covered health care provider must comply with the applicable requirements of this subpart no later than April 14, 2003.
(b) Health plans. A health plan must comply with the applicable requirements of this subpart no later than the following as applicable:
(1) Health plans other than small health plans. April 14, 2003.
(2) Small health plans. April 14, 2004.
(c) Health clearinghouses. A health care clearinghouse must comply with the applicable requirements of this subpart no later than April 14, 2003. <http://www.hhs.gov/ocr/hipaa/finalreg.html>
3. Given that the compliance date of the Privacy Rule for most covered entities is April 14, 2003, and the Department's interest in having the compliance date for these revisions also be no later than April 14, 2003, the Department solicited public comment on the proposed modifications for only 30 days. <http://www.cms.hhs.gov/hipaa/hipaa2/regulations/
privacy/finalrule/PvcTxt01.asp>.
4. The Secretary's Recommendations were submitted to the Congress on September 11, 1997. Section 264(c)(1) provides that:
If legislation governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act (as added by section 262) is not enacted by [August 21, 1999], the Secretary of Health and Human Services shall promulgate final regulations containing such standards not later than [February 21, 2000]. Such regulations shall address at least the subjects described in subsection (b).
As the Congress did not enact legislation regarding the privacy of individually identifiable health information prior to August 21, 1999, HHS published proposed rules setting forth such standards on November 3, 1999, 64 FR 59918, and is now publishing the mandated final regulation.
5. Purpose of the Administrative Simplification Regulations
This regulation has three major purposes:
1. to protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information;
2. to improve the quality of health care in the U.S. by restoring trust in the health care system among consumers, health care professionals, and the multitude of organizations and individuals committed to the delivery of care; and
3. to improve the efficiency and effectiveness of health care delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals.
<http://www.cms.hhs.gov/hipaa/hipaa2/regulations/privacy/finalrule/PvcFR01.txt>
<http://www.cms.hhs.gov/hipaa/hipaa2/regulations/privacy/finalrule/default.asp>
6. HIPAA (PDF): The Complete Privacy Rule as published on August 14, 2002 in the Federal Register and amended on October 22, 2002.