Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191, was enacted by Congress on August 21, 1996.
HIPAA was enacted to Improve portability & continuity of health insurance coverage Improve access to long-term care services and coverage Simplify the administration of health care Protect privacy of patients’ health information
To assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care. HIPAA strikes a balance that permits important uses of information, while protecting the privacy of people who seek health care.
Civil penalties Civil money penalties are $100 per violation Up to $25,000 per person Federal criminal penalties Wrongful Disclosure: Fine of not more than $50,000 and not more than 1 year imprisonment Disclosure under False Pretenses: Fine of not more than $100,000 and not more than 5 years imprisonment Commercial Advantage, Personal Gain, or Malicious Harm: fine of not more than $250,000 and 10 years imprisonment
◦ As required by law ◦ Avert serious threats to health or safety ◦ Specialized government functions ◦ Judicial and administrative proceedings ◦ Cadaver organ, eye or tissue donation purposes ◦ Victims of abuse, neglect or domestic violence ◦ Inmates in correctional institutions or in custody ◦ Workers’ compensation ◦ Research purposes ◦ Public health activities ◦ Health oversight activities ◦ About decedents ◦ Law enforcement purposes
Uses and Disclosures for Specialized Government Functions: Military and Veterans Activities. 45 CFR 164.512 and C7.11 of the DoD 6025.18-R. Very Broad in Nature. Has been published in the Federal Register. 68 Fed Reg 17357 (April 9, 2003)
The PHI that is released to a command authority is on a “need to know” basis. Appropriate military command authorities may, however, use and disclose protected health information of Army personnel for activities deemed necessary to assure the proper execution of the military mission (DoD 6025.18-R, paragraph c184.108.40.206.). Appropriate military command authorities include all commanders who exercise authority over an individual (DoD 6025.18-R, paragraph C220.127.116.11.1.).
The phrase “deemed necessary to assure the proper execution of the military mission” includes: (a) determining soldiers’ fitness for duty (DoD 6025.18-R, paragraph C18.104.22.168.1); (b) determining soldiers’ fitness to perform any particular mission, assignment, order, or duty (DoD 6025.18-R, paragraph C22.214.171.124.2.); (c) carrying out activities under the authority of DoD Directive 6490.2, Joint Medical Surveillance, 30 August 1997 (DoD 6025.18-R, paragraph C126.96.36.199.3.), which includes, for example, monitoring the health of a population for the purposes of preventive medicine; (d) reporting on military casualties in any military operation or activity (DoD 6025.18-R, paragraph C188.8.131.52.4.); and (e) carrying out any other activity necessary to the proper execution of the mission of the Army (DoD 6025.18-R, paragraph C184.108.40.206.5.).
There are some instances where permitted disclosures under the HIPAA The Privacy Act (5 USC 552a(g)) permits civil suits against DoD components if the act has been violated and allows recovery of damages, court costs and attorney fees in some cases.
DoD 6025.18-R, DoD Health Information Privacy Regulation, 24 January 2003 DoD Instruction 6025.18, Privacy of Individually Identifiable Health Information in DoD Health Care Programs, 2 December 2009 Public Law 104-191, Health Insurance Portability and Accountability Act of 1996, Section 264, 21 August 1996 Title 42, United States Code, Sections 1320a-1320d-8. 45 CFR Part 160 and Subparts A and E of Part 164 DOD Directives