The Health Insurance Portability and Accountability Act — usually just called HIPAA — is a federal law governing health care. Title I of the law established health insurance guidelines for workers who have lost their jobs. Title II — the better-known provision of the act — establishes national electronic data standards and addresses medical privacy.
Group Plan Access and Restrictions
Title I of HIPAA limits exclusions that are allowed in group medical plans, such as those you offer to your employees. For example, employers can only choose insurance plans that exclude pre-existing conditions if the exclusion lasts less than a year — 18 months in the case of late enrollment. Group plans are also prohibited from looking further back than six months when excluding pre-existing conditions, and HIPAA also establishes guidelines that make it easier for employees to switch health insurance and retain their insurance if they lose their jobs. Changes to HIPAA in 2013 were designed to make the law work alongside the Affordable Care Act. These changes include expanded rights to request electronic health information, the right to pay out-of-pocket without notifying an insurance company of a procedure and stricter penalties for violations.
HIPAA establishes national standards for electronic records that are designed to protect patient privacy. Under the law, the Department of Health and Human Services has to issue guidelines for protecting medical data, and medical offices are required to comply with these rules. Doctors must also protect patient confidentiality, including the confidentiality of patients 12 and older. This has numerous implications, and usually means medical practices have to get a signed consent form before releasing medical information to anyone. Medical offices must also provide patients with a HIPAA privacy statement outlining their privacy practices, and provide a complaint process if a patient feels her privacy has been violated. In 2013, changes to the law made employees, contractors and subcontractors directly liable for HIPAA violations.
Penalty for Violations
HIPAA provides for tiered penalties for violations. If the violation is accidental and unknowing, the minimum penalty is $100 per violation and the maximum is $50,000. Willful violations carry a minimum penalty of $50,000 per violation. Patients can also sue you for violating their privacy rights, particularly if they suffer some financial loss as a result of the violation. State attorneys general can establish additional regulations and penalties for privacy violations.
- The American Medical Association: HIPAA Violations and Enforcement
- Public Health Reports: HIPAA’s Implications for Public Health Policy and Practice: Guidance From the CDC
- The Online Journal of Issues in Nursing: HIPAA: Past, Present and Future Implications for Nurses
- Uzick and Oncken P.C.: Medical Legal Implications of the Newly Activated HIPAA Regulations
- American Medical Association: HIPAA: Health Insurance Portability and Accountability Act
- TnRec: HIPAA Changes for 2013