On July 20, 2021, U.S. Rep. Marjorie Taylor Greene (R-GA) was asked by a reporter at her office: “Have you yourself gotten vaccinated?” Her response: “Your first question is a violation of my HIPAA rights. You see with HIPAA rights we don’t have to reveal our medical records and that also includes our vaccine records.” Ever since vaccines were developed to combat the COVID-19 pandemic, groups of skeptics have emerged to challenge any governmental request for Americans to either get vaccinated or disclose they were vaccinated. Many have taken to social media to proclaim that anyone who inquires that they were vaccinated have violated their HIPAA rights and will be subject to civil and criminal penalties. Unfortunately, these statements have contributed to a great misunderstanding of what HIPAA protects and does not protect against. When exactly is HIPAA violated?
HIPAA STATUTES AND RULES GENERALLY
Before anyone can explain what HIPAA prohibits, it is important to understand what HIPAA protects first. The Health Insurance Portability and Accountability Act of 1996 (also called the Kennedy-Kassebaum Act but simply called HIPAA) was signed into law by President Bill Clinton on August 21, 1996. The intention of the act, as stated in the long title, is “to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, [and] to simplify the administration of health insurance.” It is a large and comprehensive act that is continuous amended over time. It consists of five sections, known as titles:
- TITLE I: Health Care Access, Portability and Renewability – this section regulates the availability of group health plans and individual health insurance policies and protects health insurance coverage for workers who change or lose jobs.
- TITLE II: Preventing Health Care Fraud and Abuse; Administrative Simplification and Enforcement of Group Health Insurance Requirements – this section establishes policies and procedures for maintaining the privacy and security of individually identifiable heath information and establishes offenses and penalties against designated individuals and groups that violate these rules.
- TITLE III: Tax-related Health Provisions – this section modifies the Internal Revenue Code and provides standard deductions for health insurances, health savings accounts and medical savings accounts.
- TITLE IV: Application And Enforcement Of Group Health Insurance Requirements – this section outlines how health insurance companies have to treat preexisting conditions for the purposes of offering coverage and benefits.
- TITLE V: Revenue Offsets – this section regulates company-owned life insurance and provides legal provisions for those people who give up U.S. citizenship or permanent residency.
Under Title II, Congress requires the Department of Health and Human Services (DHHS) to increase the efficiency of the health-care system by creating so-called Administrative Simplification Rules for the use and dissemination of health-care information. It is these rules that lay out the necessary standards to prohibit the unauthorized disclosure of private patient information. To date, DHHS has created five rules under Title II to effectuate this goal:
- HIPAA Privacy Rule – consists of regulations for the use and disclosure of Protected Health Information (PHI) in healthcare treatment, payment and other operations.
- HIPAA Transactions And Code Sets Rule – consists of regulations to require all health plans to engage in health care transactions in a standardized way for simplification.
- HIPAA Security Rule – consists of regulations to provide administrative, physical and technical security safeguards for PHI that is transmitted electronically.
- HIPAA Unique Identifiers Rule – consists of regulations to provide National Provider Identifier (NPI) numbers to health care providers for identifications in standard transactions of PHI to reduce identity theft and increase security.
- HIPAA Enforcement Rule – sets civil money penalties for violating HIPAA rules and establishes procedures for investigations and administrative hearings.
However, these HIPAA regulations do not apply to everyone. DHHS has established under its regulations that these standards apply, in whole or in part, to the following “covered entities”:
- A Health Plan – is “an individual or group plan that provides, or pays the cost of, medical care…” 42 U.S.C. §1320d(5).
- A Health Care Clearinghouse – is an “entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.” 42 U.S.C. §1320d(2).
- A Health Care Provider – is any “person furnishing health care services or supplies,” including a “provider of services” and a “provider of medical or other health services.” 42 U.S.C. § 1320d(3). A “provider of services” is a “hospital, critical access hospital, skilled nursing facility, comprehensive outpatient rehabilitation facility, home health agency, [or] hospice program …” 42 U.S.C. §1395x(u). A “provider of medical and other health services” is any person who provides any of a long list of such services, including “physicians’ services,” “services and supplies . . . furnished as an incident to a physician’s professional service, of kinds which are commonly furnished in physicians’ offices and are commonly either rendered without charge or included in the physicians’ bills,” “outpatient physical therapy services,” “qualified psychologist services,” “clinical social worker services,” and certain services “performed by a nurse practitioner or clinical nurse specialist.” 42 U.S.C. §1395x(s). The health care providers only qualify as covered entities if they transmit any health information in electronic form in connection with certain transactions.
- A Prescription Drug Card Sponsor – is “any nongovernmental entity that the Secretary [of DHHS] determines to be appropriate to offer an endorsed discount card program, “including “a pharmaceutical benefit management company” and “an insurer.” 42 U.S.C. §1395w-141(h)(1)(A).
Many health care providers and health plans do not carry out all activities and functions by themselves and employ the services of other persons and businesses. These business associates include third party claims administrators, CPAS, attorneys and consultants. HIPAA rules allow these covered entities to disclose PHI to these “business associates” if the providers or plans obtain satisfactory assurances (in a written business associate contract) that the business associate will only use the PHI for the purposes for which it was hired by the covered entity, will safeguard the information, and will help the covered entity comply with its duties under HIPAA. Otherwise, all disclosures and disseminations must strictly comply with the HIPAA regulations.
The HIPAA rules under Title II apply only to these “covered entities” and their “business associates” regarding unauthorized dissemination and disclosure of PHI. If you are not a covered entity or business associate, then you are not subject to HIPAA violations or penalties regarding asking about, reviewing or disclosing someone’s medical information. This includes family members, friends, business employees, reporters or random strangers provided that none of them are employed in the health care profession and could be considered part of a covered entity.
CIVIL AND CRIMINAL PENALTIES FOR VIOLATING HIPAA
A covered entity that violates these provisions are subject to civil and criminal penalties. Regarding civil penalties, the DHHS “shall impose on any person who violates a provision of this part …” 42 U.S.C. §1320d-5(a)(1). The level of the fine to be imposed are under the following criteria:
- The first level applies to cases for violations in “which it is established that the person did not know (and by exercising reasonable diligence would not have known) that such person violated such provision.” 42 U.S.C. 1320d-5(a)(1)(A). The penalty is a minimum $100 and up to $50,000 per violation, for a maximum of $25,000 for that person per calendar year. 42 U.S.C. §1320d-5(a)(3)(A).
- The second level applies to cases for violations in “which it is established that the violation was due to reasonable cause and not to willful neglect.” 42 U.S.C. 1320d-5(a)(1)(B). The penalty is a minimum $1,000 and up to $50,000 per violation, for a maximum of $50,000 for that person per calendar year. 42 U.S.C. §1320d-5(a)(3)(B).
- The third level applies to cases for violation in which it is established that the person willfully neglected such provision but corrected the violation within 30 days of discovery. 42 U.S.C. 1320d-5(a)(1)(C)(i). The penalty is a minimum $10,000 and up to $50,000 per violation, for a maximum of $250,000 for that person per calendar year. 42 U.S.C. §1320d-5(a)(3)(C).
- The fourth level applies to cases for violation in which it is established that the person willfully neglected such provision but made no effort to correct the violation within 30 days of discovery. 42 U.S.C. 1320d-5(a)(1)(C)(ii). The penalty is $50,000 per violation, up to a maximum of $1,500,000 for that person per calendar year. 42 U.S.C. §1320d-5(a)(3)(D).
State attorney generals are also empowered since 2009 to hold covered entities accountable for PHI exposure of state residents by filing civil actions in federal court. Under the HITECH Act, HIPAA violations fines can be issued by the federal judge at a minimum of $100 and up to $25,000 per violation category per calendar year. 42 U.S.C. §13410(e)(1). This is separate from and in addition to any penalties levied by federal authorities.
The HIPAA statutes provides criminal sanctions for violations involving disclosures of “unique health identifiers” or “individually identifiable health information”, meaning that information which “identifies the individual” or “with respect to which there is a reasonable basis to believe that the information can be used to identify the individual”. 42 U.S.C. §1320d(6). A covered entity is subject to criminal penalties if he or she knowingly does any of the following in violation of HIPAA rules under 42 U.S.C. §1320d-6(a).
- (1) uses or causes to be used a unique health identifier;
- (2) obtains individually identifiable health information relating to an individual; or
- (3) discloses individually identifiable health information to another person.
The criminal penalties are as follows:
- Generally, a violation is punishable as a misdemeanor by a fine of not more than $50,000 and/or imprisonment for not more than one year. 42 U.S.C. §1320d-6(b)(1).
- A violation becomes a felony punishable by a fine up to $100,000 or up to five years in prison if it was committed under false pretenses. 42 U.S.C. §1320d-6(b)(2).
- A violation becomes a felony punishable by a fine up to $250,000 or up to ten years in prison if it was committed “with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.” 42 U.S.C. §1320d-6(b)(3).
WHAT TYPE OF CONDUCT VIOLATES HIPAA?
There are over 115 pages of specific regulations in which “covered entities” can violate the HIPAA Privacy rule, so it is impossible to list every single possible scenario. The following include the most common types of violations as identified by DHHS:
- A hospital employee talking about a patient’s PHI to unauthorized co-workers, family or friends. If another employee at the same hospital does not work on the same unit or has no valid reason to know this PHI, then HIPAA is violated. In addition, talking about a patient’s PHI to authorized medical personnel but in a public place where other unauthorized persons can hear also violates HIPAA.
- A clinician leaves a patient’s chart or records in a room where other patients can see it as opposed to keeping it in a secure location. It doesn’t matter if it was an accident and that clinician left it to rush to another emergency.
- A medical worker’s laptop or smartphone containing PHI is lost or stolen which can facilitate unauthorized access. HIPAA requires that these medical workers must ensure these devices are password protected, is not left logged on when unattended, and that the data is protected by encryption.
- Medical personnel texting or emailing PHI between each other. It is prohibited to include a patient’s name or information in an SMS text or unsecured email message. This information should only be transmitted by approved electronic medical record software.
- Medical employees who access patient information on the work computer when they are not authorized to (e.g. not specifically related to that patient’s diagnosis or treatment). It is a HIPAA violation to access a patient’s information for any other reason not related to the patient’s care, even if that reason was just to randomly look in files.
- A registered nurse or doctor posting a picture of a patient on social media, even if no names or PHI is used. Someone else on the Internet can easily identify the person, thus triggering the HIPAA violation.
- The hospital made a mistake on the HIPAA disclosure paperwork and omitted a “right to revoke” clause or even forgot to obtain the patient’s signature. Even if the patient would have otherwise consented, this defect is a HIPAA violation.
The vast majority of these violations are discovered when DHHS does compliance audits of the covered entity’s records to check for completion and adherence to the law. Even the most minor oversight on these forms or records triggers an individual violation subject to a fine, and each occurrence is cumulative to where the health care provider could be subject to fines approaching thousands or millions of dollars.
WHAT TYPE OF CONDUCT DOES NOT VIOLATE HIPAA?
Now that we know what can constitute a HIPAA violation, it is just as important to know what is NOT a HIPAA violation. The following situations do not trigger violations or penalties:
- An employer asking you if you have received the COVID-19 vaccination. Unless your employer is a health care provider or a doctor, they are not a “covered entity” under HIPAA and therefore can require you to be vaccinated or ask for your vaccination card.
- A grocery store asking you why you are not wearing a mask in their building as they require (even if you actually have a medical condition that would exempt you from wearing a mask). The grocery store is not a “covered entity” under HIPAA and therefore can inquire into the reasons why you should be covered under their mask rules.
HIPAA is a very comprehensive set of federal laws and regulations so it is not always easy to tell when it is being violated or not. Whenever you are unsure, you are always free to consult with skilled legal counsel to learn what your rights and responsibilities are in any given situation. If you have further questions or need legal representation, then do not hesitate to contact the experienced attorneys at Kershaw, Vititoe & Jedinak PLC for assistance today.