The Juvenile Justice Professional's Guide to
Human Subjects Protection and the IRB Process
Home Before we begin Let's begin History of H.S. Protection Confidentiality of Secondary Youth Data Responsibility for Protecting Human Subjects Administration of the IRB
Research Juvenile Justice Site Map
Health Insurance Portability and Accountability Act of 1996
Human Subjects Research
Ethical Principles of the Belmont Report
The Institutional Review Board (IRB)
Protecting Human Subjects from Harm
The Consent Process
Privacy Protections
HIPPA
FERPA
PPRA
Related Laws

HIPAA establishes the essential rules that all juvenile justice professionals must follow when using or sharing youth healthcare information for research and in practice.

The Health Insurance Portability and Accountability Act (HIPAA) also known as the Kennedy-Kassebaum Bill, K2, and Public Law 104-191, was enacted by the United States Congress in 1996. Health Insurance Reform: Security Standards; Final Rule; Privacy Rule (45 CFR Part 160, 162, and 164) adopts standards as required under HIPAA. http://www.hhs.gov/ocr/hipaa/finalreg.html

HIPAA gives the Department of Health and Human Services (HHS) the authority to mandate the use of standards for the electronic exchange of healthcare information and specify the types of measures required to protect the security and privacy of personally identifiable healthcare information. http://www.hhs.gov/ocr/hipaa/

The HIPAA regulations apply to:
  • Healthcare providers
  • Healthcare payers such as health plans and health insurance providers, HMO's and Medicare
  • Clearinghouses of health information
  • Employers providing heath insurance that have assess to Private Health Information (PHI)
  • Entities that have PHI access for other reasons such as on-site clinics.

HIPAA http://aspe.hhs.gov/admnsimp/pl104191.htm was designed to allow individuals to qualify immediately for comparable health insurance coverage when they change employment associations and, through a separate set of provisions, Administrative Simplification, mandated security standards to protect every personís health information, while permitting the appropriate access and use of that information by healthcare providers, clearinghouses, and health plans. Prior to HIPAA, there were no standards in the healthcare industry that address all aspects security of electronic protected health information while it is being used, in storage, or when exchanged between entities. The four regulatory components of Administrative Simplification are:
  • Transaction Code Set regulations which establish a uniform standard of data elements used to document reasons patients are seen and the procedures performed during healthcare visits.
  • National Provider Identifiers (NPI) regulations establish the standard unique health identifier for healthcare providers to simplify administrative processes, to improve accuracy of data, and reduce costs.
Privacy rules define the rights of individuals and security rules define the process of technology required to ensure privacy.
  • Privacy regulations which establish standards for protecting individually identifiable health information and for guaranteeing the rights of individuals to have additional control over such information.
  • Security regulations which establish standards for the security of electronic protected health information (PHI). These standards include: administrative safeguards (security management, information access, contingency planning, etc); physical safeguards (physical access to information within buildings, floors, departments, workstations, back-up tapes, etc), and technical safeguards (user software access rights, tracking access, etc).
The Privacy Rule establishes procedures and safeguards that restrict the circumstances under which a covered entity may give individually identifiable health information or protected healthcare information (PHI) to law enforcement officers. Law enforcement may not access PHI without a warrant or other prior legal processes when attempting to identify or locate a suspect. The Rule specifically prohibits disclosure of DNA information without, for example, a warrant or other legal requirement. The Privacy Rule also protects victims of domestic violence or abuse. Under most circumstances, law enforcement cannot obtain PHI information about such victims without their permission to the covered entity. This restriction is currently not required by the majority of States. On the other hand, however, State Laws that impose additional restrictions to the Privacy Rule must be applied; the Rule sets the national floor for legal safeguards.

The Privacy Rule allows covered entities to disclose (PHI) to law enforcement officials without the individual's written authorization under certain circumstances(45 CFR 164.512(f)):
  • To comply with a court order
  • To respond to an administrative request from a law enforcement official
  • To respond to a request for PHI for purposes of identifying or locating a suspect, fugitive, material witness, or missing person (specific limitations are defined).

Additional information about disclosures for law enforcement purposes are further defined by OHRP http://www.hhs.gov/ocr/privacy/hipaa/faq/disclosures_for_law_enforcement_purposes/index.html

The HIPAA Privacy rule does not modify the Common Rule. Where both the Privacy Rule and the Common Rule apply, both regulations must be followed. The Privacy Rule regulates only the contents and conditions or the documentation that covered entities must obtain before using or disclosing protected health information for research purposes.

The Rule permits a covered entity to "reasonably rely" on a researchers documentation of an IRB or Privacy Board that the requested information is the minimum necessary for the research purpose (45 CFR 164.514(d) (3) (iii). Documentation is acceptable from either an external IRB or Privacy Board or ones associated with the covered entity.

HIPAA establishes the essential rules that all juvenile justice professionals must follow when using or sharing youth healthcare information for research and in practice. Juvenile justice professionals are also responsible for identifying and adhering to more stringent rules that have been enacted by some State and local governments and other Federal regulations for which the Privacy Rule does not impede. Specific conditions and requirements of disclosures are defined in Part 164 (Security and Privacy) of the Privacy Rule: (http://www.access.gpo.gov/nara/cfr/waisidx_02/45cfr164_02.html).

Failure to comply with HIPAA regulations may include both civil and criminal punishment. The Department of Health and Human Services Office enforces civil penalties for HIPAA noncompliance. Based on a tiered civil penalty structure, the Secretary of Health and Human Services has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. Except in cases of willful neglect, the Secretary is prohibited from imposing civil penalties if the violation is corrected within 30 days.
CIVIL PENALTIES FOR HIPAA VIOLATIONS
HIPAA Violation Minimum Penalty Maximum Penalty
Individual did not know that he/she violated HIPAA $100 per violation, with an annual maximum of $25,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to reasonable cause and not due to willful neglect $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million


The Department of Justice is charged with enforcement of HIPAA's criminal penalty provisions.
CRIMINAL PENALTIES FOR HIPAA VIOLATIONS
HIPAA Violation Penalty
HIPAA violation due to knowingly obtaining or disclosing individually identifiable information. Maximum fine of $100,000 and imprisonment up to one year.
HIPAA violation due to offenses committed under false pretenses. Maximum fine of $50,000 and imprisonment up to five years.
HIPAA violations due to intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. Maximum fine of $250,000 and imprisonment up to ten years.


OJJDP Home | NCJJ Home | National Juvenile Court Data Archive | Site Map