Posted on 09/07/2008 4:14:17 PM PDT by jern
If you think I don't, it's only because I will it.... :^)
The penalty provision apply to any person who violates the provisions "of this part." The part (the administrative simplification provisions) applies only to covered entities and business associates.
Individually identifiable health information that was initially disclosed in violation of HIPAA doesn't carry a taint with it that follows to each recipient.
In December 2002, HHS issues FAQ confirming that the privacy rule applies only to covered entities and business associates. HHS stated that "the law does not give the Department of Health and Human Services (HHS) the authority to regulate other types of private businesses or public agencies through this regulation."
In 2004's University of Colorado Hospital Authority v. The Denver Publishing Co, a federal judge ruled that a newspaper that published PHI in a peer review report obtained in violation of HIPAA could not be sued directly because HIPAA did not establish a personal cause of action. That was already known, because the commentary accompanying publication of the regulations, and publications issued by the DoJ, told us that. However, the judge also denied motions against the newspaper on the grounds that it was not a covered entity nor a business association and could not have violated HIPAA's disclosure rules.
We should probably take any further discussion of this private, as I imagine everyone else would get tired of it. Certainly, individuals in the health provider, claims processing, and insurance industries, and lawyers, aren't the only ones who understand HIPAA, but I'm curious about the base of knowledge from which you're arguing these points. Curious, simply because if I'm wrong in these areas (and if I've been wrong for several years now), then I'd like to know. HIPAA has been a primary part of my practice throughout the development of the administrative simplification rules (strange name for privacy rules, isn't it?).
What is your source for saying HIPAA rules can't be washed like drug money, longtermmemmory? And, airedale, even though it's an arcane part of drafting, do you see how a statement that HIPAA applies to "each person" may mean less than each person when it talks about violating "this part," and "this part" only applies to a certain group of people?
not quite again, if i induce a third party to commit the violation for me then I have serious liability issues.
(just refering to real world experience)
HIPAA is much more limited than most people think, in my experience. HIPAA even has a reverse preemption provision in recognition of the fact that most states already had medical records privacy laws that are more stringent than HIPAA.
Although HIPAA's best known as a health information privacy statute and regulation, that wasn't its purpose. HIPAA began as a requirement that certain treatment and payment information, if transmitted electronically, be transmitted using certain standards. Insurers and others would no longer be allowed to have their own system and requirements for electronic transmission of treatment and payment information. There would be one federally-mandated standard.
Once patient advocacy groups realized that HIPAA would likely result in increased electronic transmission of health information, there was a push for privacy standards. HIPAA is essentially a safety net of privacy standards and most states already had laws that were more protective in many ways.
Because the privacy regulations grew out of a statute and congressional mandate dealing with the electronic transmission of health information, the initial statute and regulations applies only to defined 'covered entities' and 'business associates.' HHS simply doesn't have congressionally-given authority to apply HIPAA's privacy standard to any part other than those subject to the electronic standards part of the regulations.
That's all an oversimplification, but it's close enough.
I guess I'm just being anal as an attorney who works in this area. There may be state and federal privacy laws that are applicable in this case, but HIPAA isn't one of them. HIPAA doesn't even allow private suits; only the DoJ can bring an action against someone for violation of HIPAA.
Not trying to be a know-it-all; just stating that I respectfully disagree with you.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.