HIPAA Privacy Rule: Why Comply?
March 2003 Issue
The compliance date of April 14, 2003 for the HIPAA Privacy Rule is fast approaching O&P businesses. So the question you may ask is, "Why do I need to comply?"
Risk of Litigation
The threat of litigation is a topic that covered entities need to be very aware of, according to Leigh-Ann Patterson, a litigation partner with Nixon Peabody LLP in Boston, Massachusetts, who presented a crash course at the summit in "preventive law" as it relates to the privacy rule.1
HIPAA is likely to be the standard: According to Patterson, plaintiffs' lawyers will likely use the HIPAA Privacy Rule as the standard of care in negligence cases brought under state law involving alleged misuse of medical information. Specifically, it's likely they will claim the defendant did not meet the "minimum necessary" (amount of information shared) standard set forth in the HIPAA regulations. 1
Penalties and Imprisonment
It is federally mandated that all of the US states and controlled territories, such as Guam and the Virgin Islands, comply with HIPAA. Failure to comply with the Privacy Rule of HIPAA can lead to civil penalties up to $100 per person per violation and up to $25,000 per person for violations of a single standard for a calendar year and/or criminal penalties that can result in a $50,000 to $250,000 fine and one to ten years in jail for improper disclosure of individually identifiable health information.
Protecting patients' privacy shows that you care about them.
Compliance will demonstrate a level of professionalism that patients will come to expect. Failure to demonstrate respect for patient privacy could lead to lost business.
What Can Get An Organization Into Trouble
Protected health information (PHI), if used improperly, could damage an individual's reputation or be used for discriminatory purposes in employment. Examples include AIDS, alcoholism or drug addiction, suicide attempts or a history of nervous breakdowns. Having such personal information disclosed is an emotionally charged topic, which could feed directly into high-stakes litigation.
Some additional causes of action that might be expected to surface are:
- Negligent disclosure of PHI
- Any state statute giving rise to a right of action for breach of confidentiality
- Intentional revelation of PHI by an employee
- Inadequate policies and procedures
- Negligent supervision and training
- Negligent/intentional infliction of emotional distress
- Failure to follow your policies and procedures. Not only must covered entities develop policies and procedures under the Privacy Rule, but they also must follow them! In addition, you must give patients a notice that explains your PHI-related policies and their right to request restrictions of its use and disclosure
1 From MD Practice Alert, Dec. 4, 2002
Jay Masci is the Principal Consultant of Provaliant, a company providing IT consulting services including HIPAA compliance and customized training. For more information, call 480.952.0656 or visit www.provaliant.com.