HIPAA establishes the essential rules that all juvenile justice professionals must follow when using or sharing youth healthcare information for research and in practice.
|
The Health Insurance Portability and Accountability Act (HIPAA) also
known as the Kennedy-Kassebaum Bill, K2, and Public Law 104-191, was
enacted by the United States Congress in 1996. Health Insurance Reform:
Security Standards; Final Rule; Privacy Rule (45 CFR Part 160, 162,
and 164) adopts standards as required under HIPAA. http://www.hhs.gov/ocr/hipaa/finalreg.html
HIPAA gives the Department of Health and Human Services (HHS) the
authority to mandate the use of standards for the electronic exchange
of healthcare information and specify the types of measures required
to protect the security and privacy of personally identifiable healthcare
information. http://www.hhs.gov/ocr/hipaa/
The HIPAA regulations apply to:
- Healthcare providers
- Healthcare payers such as health plans and health insurance
providers, HMO's and Medicare
- Clearinghouses of health information
- Employers providing heath insurance that have assess to Private
Health Information (PHI)
- Entities that have PHI access for other reasons such as on-site
clinics.
HIPAA http://aspe.hhs.gov/admnsimp/pl104191.htm
was designed to allow individuals to qualify immediately for
comparable health insurance coverage when they change employment
associations and, through a separate set of provisions, Administrative
Simplification, mandated security standards to protect
every person’s health information, while permitting the appropriate
access and use of that information by healthcare providers,
clearinghouses, and health plans. Prior to HIPAA, there were
no standards in the healthcare industry that address all aspects
security of electronic protected health information while it
is being used, in storage, or when exchanged between entities.
The four regulatory components of Administrative Simplification
are:
- Transaction Code Set regulations which establish
a uniform standard of data elements used to document reasons
patients are seen and the procedures performed during healthcare
visits.
- National Provider Identifiers (NPI) regulations
establish the standard unique health identifier for healthcare
providers to simplify administrative processes, to improve
accuracy of data, and reduce costs.
Privacy rules define the rights of individuals and security
rules define the process of technology required to ensure privacy.
- Privacy regulations which establish standards for
protecting individually identifiable health information
and for guaranteeing the rights of individuals to have additional
control over such information.
- Security regulations which establish standards
for the security of electronic protected health information
(PHI). These standards include: administrative safeguards
(security management, information access, contingency planning,
etc); physical safeguards (physical access to information
within buildings, floors, departments, workstations, back-up
tapes, etc), and technical safeguards (user software
access rights, tracking access, etc).
The Privacy Rule establishes procedures and safeguards that
restrict the circumstances under which a covered entity may
give individually identifiable health information or protected
healthcare information (PHI) to law enforcement officers. Law
enforcement may not access PHI without a warrant or other prior
legal processes when attempting to identify or locate a suspect.
The Rule specifically prohibits disclosure of DNA information
without, for example, a warrant or other legal requirement.
The Privacy Rule also protects victims of domestic violence
or abuse. Under most circumstances, law enforcement cannot obtain
PHI information about such victims without their permission
to the covered entity. This restriction is currently not required
by the majority of States. On the other hand, however, State
Laws that impose additional restrictions to the Privacy Rule
must be applied; the Rule sets the national floor for legal
safeguards.
The Privacy Rule allows covered entities to disclose (PHI) to
law enforcement officials without the individual's written authorization
under certain circumstances(45 CFR 164.512(f)):
- To comply with a court order
- To respond to an administrative request from a law enforcement
official
- To respond to a request for PHI for purposes of identifying
or locating a suspect, fugitive, material witness, or missing
person (specific limitations are defined).
Additional information about disclosures for law enforcement purposes are further defined by OHRP
http://www.hhs.gov/ocr/privacy/hipaa/faq/disclosures_for_law_enforcement_purposes/index.html
The HIPAA Privacy rule does not modify the Common Rule. Where
both the Privacy Rule and the Common Rule apply, both regulations
must be followed. The Privacy Rule regulates only the contents
and conditions or the documentation that covered entities must
obtain before using or disclosing protected health information
for research purposes.
The Rule permits a covered entity to "reasonably rely" on a
researchers documentation of an IRB or Privacy Board that the
requested information is the minimum necessary for the research
purpose (45 CFR 164.514(d) (3) (iii). Documentation is acceptable
from either an external IRB or Privacy Board or ones associated
with the covered entity.
HIPAA establishes the essential rules that all juvenile justice
professionals must follow when using or sharing youth healthcare
information for research and in practice. Juvenile justice professionals
are also responsible for identifying and adhering to more stringent
rules that have been enacted by some State and local governments
and other Federal regulations for which the Privacy Rule does
not impede. Specific conditions and requirements of disclosures
are defined in Part 164 (Security and Privacy) of the Privacy
Rule: (http://www.access.gpo.gov/nara/cfr/waisidx_02/45cfr164_02.html).
Failure to comply with HIPAA regulations may include both civil and criminal punishment. The Department of Health and Human Services Office enforces civil penalties for HIPAA noncompliance. Based on a tiered civil penalty structure, the Secretary of Health and Human Services has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. Except in cases of willful neglect, the Secretary is prohibited from imposing civil penalties if the violation is corrected within 30 days.
| CIVIL PENALTIES FOR HIPAA VIOLATIONS |
| HIPAA Violation |
Minimum Penalty |
Maximum Penalty |
| Individual did not know that he/she violated HIPAA |
$100 per violation, with an annual maximum of $25,000 for repeat violations |
$50,000 per violation, with an annual maximum of $1.5 million |
| HIPAA violation due to reasonable cause and not due to willful neglect |
$1,000 per violation, with an annual maximum of $100,000 for repeat violations |
$50,000 per violation, with an annual maximum of $1.5 million |
| HIPAA violation due to willful neglect but violation is corrected within the required time period |
$10,000 per violation, with an annual maximum of $250,000 for repeat violations |
$50,000 per violation, with an annual maximum of $1.5 million |
| HIPAA violation is due to willful neglect and is not corrected |
$50,000 per violation, with an annual maximum of $1.5 million |
$50,000 per violation, with an annual maximum of $1.5 million |
The Department of Justice is charged with enforcement of HIPAA's criminal penalty provisions.
| CRIMINAL PENALTIES FOR HIPAA VIOLATIONS |
| HIPAA Violation |
Penalty |
| HIPAA violation due to knowingly obtaining or disclosing individually identifiable information. |
Maximum fine of $100,000 and imprisonment up to one year. |
| HIPAA violation due to offenses committed under false pretenses. |
Maximum fine of $50,000 and imprisonment up to five years. |
| HIPAA violations due to intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. |
Maximum fine of $250,000 and imprisonment up to ten years. |
|
