HIPAA UPDATE
November 2004


Interim Final Rule on HIPAA Civil Monetary Penalties Extended by DHHS

DHHS published a final rule extending for one year an interim final rule establishing procedures for the imposition of civil monetary penalties on entities that violate HIPAA. The interim final rule was to expire on September 16, 2004, but DHHS extended it in order to continue ongoing enforcement actions and to develop a more comprehensive rule. DHHS intends to propose a rule to establish comprehensive procedural and substantive rules for HIPAA enforcement through the imposition of civil monetary penalties. No definitive date has been set, but DHHS said that it intends to publish the new final rule soon. The rule extending the interim final rule can be found at 69 Fed. Reg. 55515.

First HIPAA Criminal Conviction

On August 19, Richard Gibson, from Washington state, pled guilty in federal court to disclosure of individually identifiable health information for economic gain. He admitted he used a patient’s name, date of birth, and social security number that he obtained while employed by the Seattle Cancer Care Alliance to get credit cards in the patient’s name which he then used to purchase such things as video games, home improvement supplies, clothing, jewelry, decorative objects, groceries, and gasoline. Mr. Gibson racked up over $9,000 in debt in the patient’s name. The resulting conviction is the first ever under HIPAA’s criminal provisions which became effective in April of 2003. Gibson will be sentenced to prison for 10 to 16 months and be required to pay restitution to the victim and the credit card companies.

GAO Report on Implementation of HIPAA Privacy

In a report issued October 4, 2004, the GAO stated that providers and health plans reported smoother-than-expected implementation of HIPAA Privacy in the first year of required compliance. Some complaints, however, have been expressed with regard to certain Privacy requirements. Providers and health plans emphasized that the requirement to account for certain information disclosures and the requirement to develop agreements with business associates that extend privacy protections “downstream,” are unnecessarily burdensome and would like further guidance and/or modification of these provisions.

Public health entities are concerned that providers’ concerns about complying with the Privacy Rule may impede the flow of information to state health departments and disease registries and has reduced access to data, consequently delaying clinical and health services research.

HIPAA Security Breaches

Recent reported unauthorized disclosures of PHI include:
  • A hospital reported that some patient records were accidentally placed in a bank deposit bag and sent to the local bank.
  • Over 30 patient files were discovered in a recycling bin.
  • A private practice associated with a hospital system was found to have utilized an insecure technology for remote access to its network – potentially allowing a hacker to tap in with ease and have full access to all of the hospital’s patient records.
Studies aimed at determining the biggest security threats to ePHI show that insiders are the biggest threat to an entity’s security. Most of the security breaches were found to have been performed with unsophisticated technologies used to access entity files during normal business hours. Enforcement of minimum access policies and developing audit systems are an entity’s best protections from these sorts of intrusions.

IRS Notice Explains Requests of PHI Under HIPAA

The IRS, Office of Chief Counsel, published a notice that identifies and explains three exceptions that allow the IRS to obtain PHI from a taxpayer or a third party who is a covered entity when seeking to enforce the Internal Revenue Code. The three exceptions are as follows: the authorization of the taxpayer, the law enforcement exception, and the administrative and judicial proceedings exception. The notice also points out that the IRS is not a covered entity and, once it obtains PHI, the Privacy Rule no longer governs its use of the information and it could be used to for examining other taxpayers.

California Medical Information Privacy Bill

On September 29, California Governor Arnold Schwarzenegger signed a bill into law that prohibits businesses from collecting an individual’s medical information for marketing purposes unless “clearly and conspicuously” disclosing how the information will be used for marketing and obtaining consent for the specific disclosure. Recordings of oral conversations that corporations have with individuals when seeking medical information for marketing purposes must be kept for two years. The new law also imposes similar requirements regarding disclosure and consent for written communications aimed at collecting individual health information for marketing purposes.