Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA), Public Law , was enacted by Congress on August 21, 1996.
HIPAA was enacted to Improve portability & continuity of health insurance coverage Improve access to long-term care services and coverage Simplify the administration of health care Protect privacy of patients’ health information
To assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care. HIPAA strikes a balance that permits important uses of information, while protecting the privacy of people who seek health care.
Civil penalties Civil money penalties are $100 per violation Up to $25,000 per person Federal criminal penalties Wrongful Disclosure: Fine of not more than $50,000 and not more than 1 year imprisonment Disclosure under False Pretenses: Fine of not more than $100,000 and not more than 5 years imprisonment Commercial Advantage, Personal Gain, or Malicious Harm: fine of not more than $250,000 and 10 years imprisonment
◦ As required by law ◦ Avert serious threats to health or safety ◦ Specialized government functions ◦ Judicial and administrative proceedings ◦ Cadaver organ, eye or tissue donation purposes ◦ Victims of abuse, neglect or domestic violence ◦ Inmates in correctional institutions or in custody ◦ Workers’ compensation ◦ Research purposes ◦ Public health activities ◦ Health oversight activities ◦ About decedents ◦ Law enforcement purposes
Uses and Disclosures for Specialized Government Functions: Military and Veterans Activities. 45 CFR and C7.11 of the DoD R. Very Broad in Nature. Has been published in the Federal Register. 68 Fed Reg (April 9, 2003)
The PHI that is released to a command authority is on a “need to know” basis. Appropriate military command authorities may, however, use and disclose protected health information of Army personnel for activities deemed necessary to assure the proper execution of the military mission (DoD R, paragraph c ). Appropriate military command authorities include all commanders who exercise authority over an individual (DoD R, paragraph C ).
The phrase “deemed necessary to assure the proper execution of the military mission” includes: (a) determining soldiers’ fitness for duty (DoD R, paragraph C ); (b) determining soldiers’ fitness to perform any particular mission, assignment, order, or duty (DoD R, paragraph C ); (c) carrying out activities under the authority of DoD Directive , Joint Medical Surveillance, 30 August 1997 (DoD R, paragraph C ), which includes, for example, monitoring the health of a population for the purposes of preventive medicine; (d) reporting on military casualties in any military operation or activity (DoD R, paragraph C ); and (e) carrying out any other activity necessary to the proper execution of the mission of the Army (DoD R, paragraph C ).
There are some instances where permitted disclosures under the HIPAA The Privacy Act (5 USC 552a(g)) permits civil suits against DoD components if the act has been violated and allows recovery of damages, court costs and attorney fees in some cases.
DoD R, DoD Health Information Privacy Regulation, 24 January 2003 DoD Instruction , Privacy of Individually Identifiable Health Information in DoD Health Care Programs, 2 December 2009 Public Law , Health Insurance Portability and Accountability Act of 1996, Section 264, 21 August 1996 Title 42, United States Code, Sections 1320a-1320d-8. 45 CFR Part 160 and Subparts A and E of Part 164 DOD Directives
Questions? 12