The compliance date of April 14, 2003 for the HIPAA
Privacy Rule is fast approaching O&P businesses. So the
question you may ask is, “Why do I need to
Risk of Litigation
The threat of litigation is a topic that covered entities need to be very aware of, according to Leigh-Ann Patterson, a litigation partner with Nixon Peabody LLP in Boston, Massachusetts, who presented a crash course at the summit in “preventive law” as it relates to the privacy rule.1
HIPAA is likely to be the standard: According to Patterson, plaintiffs’ lawyers will likely use the HIPAA Privacy Rule as the standard of care in negligence cases brought under state law involving alleged misuse of medical information. Specifically, it’s likely they will claim the defendant did not meet the “minimum necessary” (amount of information shared) standard set forth in the HIPAA regulations. 1
Penalties and Imprisonment
It is federally mandated that all of the US states and
controlled territories, such as Guam and the Virgin Islands, comply
with HIPAA. Failure to comply with the Privacy Rule of HIPAA can
lead to civil penalties up to $100 per person per violation and up
to $25,000 per person for violations of a single standard for a
calendar year and/or criminal penalties that can result in a
$50,000 to $250,000 fine and one to ten years in jail for improper
disclosure of individually identifiable health information.
Protecting patients’ privacy shows that you care about them.
Compliance will demonstrate a level of professionalism that
patients will come to expect. Failure to demonstrate respect for
patient privacy could lead to lost business.
What Can Get An Organization Into Trouble
Protected health information (PHI), if used improperly, could
damage an individual’s reputation or be used for discriminatory
purposes in employment. Examples include AIDS, alcoholism or drug
addiction, suicide attempts or a history of nervous breakdowns.
Having such personal information disclosed is an emotionally
charged topic, which could feed directly into high-stakes
Some additional causes of action that might be expected to
- Negligent disclosure of PHI
- Any state statute giving rise to a right of action for breach
- Intentional revelation of PHI by an employee
- Inadequate policies and procedures
- Negligent supervision and training
- Negligent/intentional infliction of emotional distress
- Failure to follow your policies and procedures. Not only must
covered entities develop policies and procedures under the Privacy
Rule, but they also must follow them! In addition, you must give
patients a notice that explains your PHI-related policies and their
right to request restrictions of its use and disclosure
1 From MD Practice Alert, Dec. 4, 2002
Jay Masci is the Principal Consultant of Provaliant, a company providing IT consulting services including HIPAA compliance and customized training. For more information, call 480.952.0656 or visit www.provaliant.com.