, Derry, New Hampshire

August 2, 2012

HIPAA is still confusing to many

About the law
Andrew Myers

---- — The biggest legal/medical news of the summer brought the Supreme Court decision upholding national health care.

But, that’s not the only news in this area. The Supreme Court decision overshadowed the federal government’s efforts to explain previous health-care legislation.

On June 4, the Office of Civil Rights issued a press release highlighting patients’ right of access to medical information under HIPAA.

HIPAA stands for Health Insurance Portability and Accountability Act. Passed in 1996, that law’s goals were to “improve the portability and continuity of health insurance” as people switched jobs. Other purposes included promoting health savings accounts and simplifying administration of health insurance. A major HIPAA component is the privacy rule.

Sixteen years after enactment, HIPAA brings enough confusion to warrant a federal press release.

HIPAA’s privacy rule attempted to establish national standards for protecting medical records and health information. One goal was balancing protection of the information against the need to disclose. So, health-care providers and other entities covered by the law must enact protective safeguards.

One such protection requires that any outsourcers have contracts requiring proper safeguards. Covered entities must also have procedures to limit who can view and access health information. Employees must take training programs on health information protection.

Attorneys often get questions along the lines of a medical provider’s alleged release of medical information without permission: “Can I sue for a HIPAA violation?” No, HIPAA creates no private right of action for violation.

Penalties of $100 to $250,000 are in HIPAA for wrongful disclosure. But, they were to be administered by the Secretary of Health and Human Services. Enforcement in the civil courts is not in HIPAA and would depend on state privacy laws.

Many organizations are exempt from and do not have to follow HIPAA rules. Exempt groups include life insurers, employers, workers compensation carriers, many schools and state agencies, including child protective service agencies.

For example, the HIPAA privacy rule does not apply to workers compensation insurers or administrative bodies. But, these entities need access to treatment records of those injured in the job.

For the most part, the health-care providers are covered by the privacy rule. HIPAA favors the need for insurers and administrative boards to obtain the information.

Again, the privacy rule permits covered entities to disclose protected health information to workers compensation insurers, state administrators and others without the individual’s authorization. However, the release must comply with state law, which by default, requires some form of authorization.

Many HIPAA requirements are not actually in the law. Instead, details reside in volumes of administrative regulations, including a 419-page edition of the Federal Register.

Not surprisingly, the June press release on HIPAA pointed to “barriers” faced by consumers, but indicated that new materials are now online to help. For those interested, use your favorite search engine and point to ocr/privacy/hipaa.