But the failure must be corrected within 30 days from the time of notification of the violation. Criminal penalty will be imposed on a person who knowingly obtains and reveals identifiable health information and violates HIPAA Rules at a fine of $50,000 and up to 1 year imprisonment. The fine can increase to $100,000 and the imprisonment to 5 years if the violation involves false pretenses. The fine can go up to $250,000 and up to 10 years imprisonment if there is an intent to sell, transfer or use the information for commercial or personal gain or malicious harm. The Department of Justice enforces criminal sanctions (OCR).
Protected health information or PHI refers to all held or transmitted individually identifiable health data by a covered entity or its business association, contained in any form or medium -- whether electronic, paper or in oral form (OCR, 2003). These data are a person's past, present or future physical or mental health or condition; his or her healthcare provision; and his or her past, present or future payment for healthcare. The data must identify the person and other identifiers, such as address, birthday, and social security number (OCR).
Un-protected Health Information
Health information not protected by HIPAA Privacy Rule pertains to employment records kept or used by a covered entity as an employer (OCR, 2003). These are records of an individual's employment information, education or other records coming under the Family Educational Rights and Privacy Act. Neither is de-identified health information covered, and therefore unprotected, by HIPAA. This refers to health information that neither identifies nor provides an identifier of the person with that record or data. De-identification can be made either by a formal determination by a qualified statistician or by the removal of specific identifiers of the individual and his family, relatives, household members and employers. In this second case, the de-identification can be done only if the covered entity has o actual knowledge that the remaining information may be used in identifying the person (OCR).
Uses and Disclosures
A covered entity may not use or disclose protected health information except as the Privacy Rules permits or requires or it is authorized in writing by the individual or his or her representative (OCR, 2003).
Permitted Uses and Disclosures
A disclosure is permitted, but not required, without the individual's authorization, under certain circumstances (OCR, 2003). These are if the disclosure is made to the individual himself or herself; if it is part of the treatment or as basis for payment and healthcare operations; as an opportunity for the patient to agree or object; incidental use and disclosure; for the public interest and benefit; and limited data set. Public interest is involved and justifies the use and disclosure when it is required by law; as part of public health activities; for the benefit of victims of abuse, neglect or domestic violence; for health oversight activities; as inputs to judicial and administrative proceedings; for law enforcement purposes; for the use of funeral parlors or medical examiners in the identification of deceased persons; for the facilitation of donation and transplant of cadaver organs; for research; for serious threats to health and safety; and for essential government functions (OCR).
Authorized Uses and Disclosures
This is allowed when there is written and specific authorization of the individual involved (OCR, 2003). It is also allowed from psychotherapy notes without the person's authorization if the notes will be used for treatment or for use in training and court litigations. Protected health information may also be disclosed without authorization for marketing purposes in exchange for direct or indirect compensation for product endorsement (OCR).
Limiting Uses and Disclosures
The first limiting provision is that of minimum necessary (OCR, 2003). A covered entity must expend all effort and resources to acquire and reveal only the barest minimum information in order to satisfy its allowed purpose. When done, the covered entity may no longer use or disclose the data for another purpose. The second provision covers the access and uses of an allowed disclosure of the protected health data. The covered entity must develop and use policies and procedures, which will restrict the use of the data. Those who need the data must be identified through the policies and procedures. The provision on disclosures and requests for disclosures require policies and procedures for routine, recurring disclosures or requests for disclosures that will limit the amount of information to be used in fulfilling the allowed purpose. And the provision on reasonable reliance requires the covered entity to comply with the minimum necessary standard.
Requests that satisfy the minimum necessary standard may be from a public official, a professional, or a researcher needing it for documentation or representation for research (OCR).
The OCR implements the HIPAA Privacy Rule in order to make people aware of privacy rights (Keilholtz, 2012). While it protects patient confidentiality, the Privacy Rule does not cover all situations. This clash brings about legal situations, which conflict with HIPAA provisions (Keilholtz).
One example is the Gunn v. Sound Shore Medical Center dated March 2003 (Keilholtz 2012). The complaint emanated from Donna Gunn, a resident of New York and a patient, who attended a cardiac physical therapy session at the hospital. She reported an injury on a treadmill during a session. She sued the hospital and demanded that it be ordered by the court to release the names of patients present in the same rehabilitation facility during the incident. The hospital refused to do so, citing HIPAA provisions, leading to the dismissal of the complaint. The court ruled that HIPAA provides that the disclosure of the identity of other patients would violate the physician-patient privilege and was, therefore, not permitted (Keilholtz).
Another example is the Hutton v. City of Martinez case also in 2003 (Keilholtz, 2012). This involves the police shooting. The case was filed by the injured man against the police officer. The policeman claimed that he fired at the man because he could not physically come after him. The injured man requested a review of the officer's medical records. The judge granted the requests and ordered for the police officer's workers' compensation health records. The judge justified the opening of the defendant's medical records. He stressed that HIPAA does not preclude the production of the records and compensation files in response to a discovery request, subpoena, or a court order "under a protective order." HIPAA's privacy rules are, therefore, only a guideline to uphold patient information without a guarantee of confidentiality (Keilholtz).
A third example is the Law v. Zuckerman (Keilholtz, 2012). HIPAA can also clash against State laws. In 2004, a federal court had some trouble deciding if a meeting between a defense lawyer and the physician of a patient violated that patient's privacy law rights. The court initially ruled that the meeting did not break the law but later reversed this rule. The decision must be on which, between HIPAA and the Maryland State law was the more inflexible and therefore must dominate. The judge later ruled that HIPAA was the more inflexible. It stated that a privacy waiver is not allowed because of inferred consent. The judge then ruled that patient consent is inferred by the filing of the lawsuit by plaintiffs. He did not see inferred consent satisfied the intended purpose of HIPAA (Keilholtz). #
Czaja, J. (2012). What is the reason for HIPAA regulations? eHow: Demand Media, Inc.
Retrieved on June 21, 2012 from http://www.ehow.com/list_6870131_reason_hipaa-regulations.html
Fortuna, M. (2012). History of HIPAA. eHow: Demand Media, Inc. Retrieved on June 21,
2012 from http://www.ehow.com/about_5448842_history-hipaa.html
HIPAA Specialists (2095). HIPAA background and history. Geomar Computers.
Retrieved on June 21, 2012 from http://www.geomarscomputers.com/hipaa/hipaa_1.html