The age of technology has made life more convenient for many people, but it has also brought about a host of problems, including the ever-increasing risk of theft of personal information. Medical data is especially sacred; it contains reports that most people would rather not share. That is why protecting patient information is so important.
The Health Insurance Portability and Accountability Act (HIPAA) protects an employee’s health insurance when a job is lost or an employee changes positions, but it also protects patient privacy. The first time you see a physician, you will be asked to sign a HIPAA release form stating who is allowed to see your patient information. Doctors and other medical staff members can be fined and sanctioned for any HIPAA violation.
Origins of HIPAA
HIPAA became law on August 21, 1996. The privacy rule was added in 2002, targeting the use of individual health care information. It detailed different types of information and how entities could use them. Most health care providers and insurance plans were in compliance with this law by 2003, and all were in compliance by 2004.
The privacy rule requires health plans, health care clearinghouses, and health care providers to implement safeguards to protect the privacy of personal health information and set limits on the uses and disclosures that may be made without patient authorization. It also allows patients to examine and obtain copies of health records and request corrections. HIPAA established national standards for the electronic medical records age; organizations must now implement secure electronic access to health data.
The penalties for a HIPAA violation depend on the particular infringement. The nature and extent of the breach, the violator’s intent, and the harm it caused are taken into consideration. Below are the four types of potential infractions:
- Violations due to reasonable ignorance result in the lowest penalty. In this case, the individual who leaked the information did not know and could not have reasonably known that he or she was breaking the law.
- The second type of violation results when privacy is violated due to a reasonable cause – not willful neglect. In this case, the individual or entity knew a situation might violate the law and took reasonable steps to prevent it from occurring.
- The third type of violation occurs when a breach of privacy was caused by willful neglect, but it was corrected within 30 days. Willful neglect is reckless behavior on the part of a medical professional or entity.
- The most severe violation is when an individual or entity breaks the law with willful neglect and does not take corrective action within 30 days.
Minimum fines range from $100 per violation and an annual maximum of $25,000 to a maximum penalty of $50,000 per violation and an annual maximum of $1.5 million. Criminal charges can also be brought, with prison sentences ranging from 1-10 years.
What You Can Do
If your HIPAA rights are violated and that encroachment is a severe breach of your privacy, you can file a complaint with the Department of Labor’s Office of Civil Rights against the covered entity (i.e. a health plan, health care clearinghouse, or any health provider who conducts transactions electronically). An investigator will determine if a HIPAA violation took place. If it did, the violator may be fined or prosecuted.
Whether individuals can sue directly varies from state to state. In West Virginia, hospitals and other health care providers may be sued for damages in relation to the violation of HIPAA rights. The Charleston consumer protection attorneys at Tiano O’Dell, PLLC are available to offer your more information and explain your rights.