Digital Duplicating, Inc.
Toll Free. Call Us Now. 866.639.3923

X-Ray CopiesDigital Duplicating & Legal Services, Inc. provides a full range of diagnostic imaging services to clients in Southwest Florida and throughout the nation. We promptly turn projects around within a 24 hour...

Health Care Newsletter

The Privacy Rule for Protecting Personal Medical Information

Passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) includes provisions designed to provide continuous insurance coverage and electronic healthcare transactions. In an effort to establish federal minimum privacy standards for the use and release of a patient’s health information, Congress called on the Department of Health and Human Services (HHS) to issue new patient privacy regulations as part of the HIPAA scheme.

Accordingly, HHS published the Privacy Rule, a new set of privacy regulations that require certain “covered entities” to comply with a federal floor of privacy protections by April 14, 2003. In general terms, the Privacy Rule established a minimum threshold of privacy protection for the transmission of a HIPAA patient’s individually identifiable health information. As such, the Privacy Rule does not replace those state and federal laws or hospital policies that afford individuals stricter privacy protections than those required by the Rule.

“Covered Entities” Subject to HIPAA Fines and Penalties

“Covered entities” that are required to comply with the HIPAA Privacy Rule provisions include:

  • All health care providers that transmit protected health information electronically, including hospitals, physicians and emergency or ambulance personnel
  • Any health plan that provides health benefits or pays for health care, including insured and self-funded employer health plans, HMOs and insurers
  • Health care clearinghouses, such as billing agents and firms that process data

Protected Health Information Under the Privacy Rule

The Privacy Rule applies to “protected health information” (PHI), which may be defined as individually identifiable health information held or transmitted by covered entities and their business associates in any form of media, whether paper, electronic or oral. In line with a 1996 U.S. Supreme Court decision, which held that an individual’s right to privacy includes information about a person’s mental state, PHI is not limited to facts of physical treatment.

Under the HIPAA privacy regulations, covered entities must comply with specific PHI standards, including:

  • Providing patients with copies of medical records upon request
  • Notifying patients of how their PHI may be used by covered entities
  • Prohibiting the marketing of a patient’s medical information without their consent
  • Providing an opportunity for the patient to object to or restrict the use of their PHI
  • Obtaining patient authorization for the release of information when someone specifically asks about the patient by name

However, a hospital may place certain biographical information about a patient in a hospital directory, which may be disclosed to clergy members or to others who ask for the patient by name as long as the patient did not object to the inclusion of the information in the directory. The permissible disclosure of certain directory information includes:

  • Patient’s name and location in the health care provider’s facility
  • Patient’s condition (described in general terms)
  • Patient’s religious affiliation (to clergy members only)

Further, certain emergency circumstances warrant the release of a patient’s directory information to individuals other than clergy members or those who ask for the patient by name, as in cases where the patient is incapacitated and disclosure would be in the patient’s best interest.

Civil and Criminal Penalties for Violating the Privacy Rule

Patients who believe that their Privacy Rule rights have been violated may file a complaint with the HHS Office for Civil Rights (OCR), which oversees and enforces the Privacy Rule. Complaints to the OCR must:

  • Be filed in writing, (on paper or electronically) within 180 days of when the patient knew of the violation
  • Name the offending person or entity
  • Describe the acts or omissions believed to be in violation of the Privacy Rule

If the OCR determines that a covered entity has violated the Privacy Rule, the covered entity may face civil and/or criminal penalties (depending on the violation). For civil violations, the OCR may fine the covered entity $100 per violation, up to $25,000 in one year. Such penalties may not be imposed when the violation is due to reasonable cause, did not involve willful neglect and was corrected by the covered entity within 30 days of when it knew or should have known of the violation.

Conversely, a covered entity that knowingly violates the Privacy Rule faces criminal penalties, including, at minimum, a fine of $50,000 and up to one year of imprisonment. These penalties increase to $100,000 and up to five years imprisonment if the violation involves false pretenses and $250,000 and ten years in prison if it involves intent to sell, transfer, or use the PHI for commercial advantage, personal gain, or malicious harm. Criminal penalties are enforced by the Department of Justice.

  • An Overview of the FDA's Policies on Recalls
    When a product is defective or harmful to the public, the Food and Drug Administration (FDA) may order or request a recall of the product from the market. Sometimes, the manufacturers of defective products will voluntarily recall the... Read more.
  • Introduction to Tort Reform
    High profile personal injury lawsuits have left many with the impression that juries systematically award multi-million dollar awards in order to punish wrongdoers. Although juries may, and frequently do decide to make such awards, most... Read more.
  • JCAHO Addresses Common Types of Medical Mistakes
    In late 1999, the Institute of Medicine issued a report regarding medical errors in United States hospitals. The report concluded that every year, as many as one million hospital patients are injured and 98,000 die as a result of... Read more.
  • Physicians Reporting Workplace Injuries and Illnesses
    Many states have laws that require health care providers to complete numerous forms in order to document treatment provided to patients and their subsequent progress. In Workers’ Compensation law, physicians are often required to... Read more.
Health Care News Links
Share This Page:
Digital Duplicating, Inc. provides service throughout Florida and nationwide.

Digital Duplicating, Inc. also provides pick up and delivery service throughout the southwest coast of Florida, including Tampa, Clearwater, St. Petersburg, Manatee, Sarasota, Venice, Englewood, Ft. Myers and Naples.
Digital Duplicating, Inc.