Hipaa Statement

On April 14, 2003, covered entities must comply with the HIPAA Privacy Rule and April 21, 2005, deadline for security is fast approaching. Health care providers and their lawyers are now wondering where are the risks of liability and how best to mitigate those risks.

Government Enforcement of the rule of confidentiality

The interim final enforcement, published April 17, 2003, reaffirms the Government's previous statements that the application will be conducted HIPAA chief complaint. According to the Office of Civil Rights, in early September, the office has received more complaints HIPAA 1760. Of the 1760 complaints, 500 were closed and 1260 remain open for investigation. This number is relatively low given the number of entities that are subject to HIPAA and, therefore, seems to suggest that the risk of a government investigation is also relatively low.

The interim final enforcement also reaffirms the Department of Health and Social Services' commitment to provide technical assistance and promote voluntary compliance when investigating complaints HIPAA. In addition, covered entities have provided defenses to avoid the imposition of civil monetary penalties where the entity does not know the offense, or by the exercise of reasonable diligence would not have known of the offense. In addition, if a violation is due to a "reasonable cause" and not "negligence" and the violation is corrected within thirty days, the civil society of financial penalties will not be imposed. HHS has the discretion to extend the period of thirty days to correct or reduce or cancel a civil monetary penalty if the payment "of such a sentence would be excessive in relation to the compliance failure involved." Thus, even if a complaint were to occur, most entities will not face civil monetary penalties if they acted in good faith.

According to the Office of Civil Rights, at least some of the complaints received to date have been forwarded to the Department of Justice for criminal investigation. However, criminal sanctions will be reserved for knowing violations. Increase penalties for violations committed under false pretenses, for commercial purposes, personal gain or malicious harm.

Private causes of action for breach of privacy

Regarding disclosures of Protected Health Information negligence, private litigation may be the biggest risk that entities will face. Although the deadline for compliance with the privacy rule, lawyers for plaintiffs to bring successful actions against health care providers for breaches of confidentiality due to various causes of action. Although HIPAA does not create a private cause of action, most lawyers agree that it will probably be used to create an obligation to protect medical information and establish a national standard of care between the medical community.

A recent case illustrates how a Michigan law of confidentiality can be used to establish a private cause of action. In Doe v. American Medical Pharmacy, Inc., an employee of the pharmacy loudly blurted out the HIV status of a patient in a crowded waiting room. Court of Appeal upheld a jury verdict of $ 100,000 for defamation, invasion of privacy, intentional infliction of emotional distress, and violation of a Michigan law that protects the confidentiality of HIV results. Like HIPAA, the confidential status allows for fines and / or criminal penalties, but does not create a private cause of action. Similarly, a 1991 Michigan case acknowledged that the psychiatrist / Status confidentiality and privacy of the parties to the medical authorization bill to create a legal obligation. Although the Statute.