gavel.gif (3462 bytes) New HIPAA Privacy Regulations Telephone Seminar

Pennsylvania Trial Lawyers Association

New HIPAA Privacy Regulations  
Brand new Privacy Regulations dealing with medical records


Liability, Penalties & Causes of Action:


A violation is punishable by a fine of up to $250,000 and 10 years in jail. 

The US Department of Health and Human services has publicly stated that it plans to go easy on enforcement, which would be handled by its office of Civil Rights.  According to a spokesman, the Agency has no intention of coming after inadvertent violators, at least initially.  Rather enforcement will be prompted by complaints and intentional violations. 

Standards of privacy of individually identifiable health information (unofficial version) (45 CFR, parts 160 and 164) regulation text, December 28, 2000, as amended, part 160, May 31, 2002, part 160, 164 in August 14, 2002. 

1.         Section 160.306 - Complaints to the Secretary


1.1               Right to file a complaint.  A person who believes a covered entity is not complying may file a complaint with the Secretary.


1.2               Requirements for filing a complaint: 

        Must be in writing or electronically.

        Must name entity that is the subject of the complaint and describe omissions. 

        Must be filed within 180 days of when the complainant knew or should have known that the act or omission complained of occurred, unless this time limit is waived by the Secretary for good cause shown. 

        Secretary may prescribe additional procedures for filing of complaints in the Federal Register.


1.3               Investigation.  Secretary gets to investigate.


1.4               Section 160.308 - Compliance reviews.  Secretary may conduct compliance reviews. 


1.5               Section 160.310 - Responsibilities of covered entities.  Covered entities must keep records and submit compliance reports that the Secretary may determine are necessary. 


1.6               Covered entity must cooperate with the Secretary in any investigation. 


1.7               Covered entity must permit access by the Secretary during normal business hours. 


1.8               If any information required of a covered entity in the exclusive possession of another agency, the covered entity must so certify and say what efforts have been made to obtain the information.


1.9               Protected health information obtained by the Secretary in connection with an investigation will not be disclosed. 


1.10           Section 160.312.  Secretary will take action regarding complaints and compliance reviews. 


1.11           Secretary will try informal means to resolve problems.  If matters arose from a complaint, complainants are entitled to written findings documenting non-compliance. 


2.                  Working With Records


2.1               Providing access.  - Covered entities have 30 days to act on an individual's request for access to information.  Covered entities can have as long as 60 days if the PHI is not available on site.  If the covered entity is unable to comply, it may have a 30-day extension. 


2.2               Fees.  A reasonable fee may be charged so long as it is limited to:

        Cost of copying PHI

        Supplies and labor

        Postage, if the individual wants it mailed.

        Preparation of an explanation of summary if requestor agrees to getting such a summary. 

        Costs of paper or computer disks.  However, covered entities may not charge any fees for retrieval or handling the information or for processing the request.


2.3               Amending and correcting records - Individuals have a right to request that a covered entity amend their PHI for as long as the information is maintained in a designated record set.  This includes paper or electronic records.


2.4               Within 60 days of an amendment request, a covered entity must either grant or deny the request and hold the report.  Denials must be in writing. 


2.5               If the entity cannot meet the 60-day deadline it unilaterally can take a 30-day extension.  However, it must inform the requestor in writing of the delay and explain the reasons for it. 


2.6               If the covered entity grants the request an amendment must make the amendment identifying the records affected by the amendment.


2.7               The covered entity may deny a quest for amendment if it determines that the covered entity did not create the information, the information is not part of the record set, the information would not be available for inspection by the individuals or the information is accurate and complete. 


2.8               A covered entity must timely explain the reasons for the denial. 


2.9               Accounting for disclosures. - Individuals have the right to request an accounting of all disclosures of their PHI made during the 6 years prior to the date of the request.  An individual may also request an accounting for a period shorter than 6 years or specify a date range within the 6-year period. 


3.         Compliance and Offenses - Detail


3.1        Compliance - Tab 800 - Guide to Medical Privacy and HIPAA -Thompson Publishing Group.


        The Centers for Medicare and Medicaid Services (CMS) will enforce the electronic transactions and code sets provision by creating a separate office within the Agency which will establish and operate enforcement processes and develop regulations related to HIPAA standards for which CMS is responsible. 


3.2        CMS and OCR (Office for Civil Rights) will work together on outreach and enforcement and on issues that involve both organizations such as application of security standards or exception determinations.


3.3        The privacy regulations also stipulate that the Department of Health and Human Services Secretary (DHHS) will publish a separate enforcement regulation that addresses the Department's enforcement responsibilities related to the HIPAA provisions.  Until that time, and until OCR and CMS begin to take formal enforcement action, the scope and frequency of audits and nature of investigations remains uncertain. 


3.4        Also are uncertain ramifications HIPAA provisions will have in other legal venues most notably enforcement efforts related to state laws. 


3.5        Final privacy rules did not include a private right of action to sue but DHHS (Department of Health and Human Services) reiterates in the rules preamble that it believes such a right to be fundamental to the success of the federal privacy standard. 


3.6        Office for Civil Rights (OCR) and Center for Medicare and Medicaid Services (CMS) are vested with authority to investigate complaints, conduct compliance audits and reviews, and make referral for criminal prosecution. 


3.7        US Health & Human Services is authorized to provide technical assistance to covered entities to help them fulfill their obligations. 


3.8        As indicated, the Office of Civil Rights will police HIPAA compliance through a complaint system and periodic compliance reviews. 


3.9        Complaint system - Governed by 45 CFR � 160.306(a) APP.V - Even employees may file a complaint with the Office of Civil Rights.  QUERY:  Does the Administrative Procedure Act apply, requiring a party to be "aggrieved," that is to have standing, in order to be a complainant?  The statute of rule does not address this and is very broad.


3.10     Filing instructions discussed earlier. 


3.11     Investigation and procedure discussed earlier. 


3.12     Enforcement penalties. 


3.13     Civil monetary penalties.  DHHS may impose a penalty not to exceed $100.00 per individual for one instance of a HIPAA violation.  If an individual is found with multiple identical violations then the penalty is capped to $25,000 during a single calendar year.  If a violation constitutes a criminal offense, CMP provisions will not apply.  See, 42 US Code � 1320(d)-5(b)(1) APP I.


3.14     The DHHS Secretary has extensive discretion with regard to penalties.  If it is found the individual did not know by the exercise of reasonable diligence, would have not known of the offense, then DHHS has the discretion not to impose monetary penalty. 


3.15     Similarly if non-compliance is due to reasonable cause and deficiency is remedied within 30 days of the person learning of the deficiency (or a date determined when an individual exercising reasonable diligence would likely have known) DHSS has the discretion not to impose a monetary penalty. 


3.16           Criminal sanctions. - Criminal sanctions are for the following:


        The use or causing the use of a unique health identifier in violation of the statute.

        Obtaining individually identifiable health information relating to an individual in violation of the statute and;

        Disclosing individually identifiable health information to another person in violation of the statute.

        The perpetrator must have had "knowledge."

        Penalties imposed on two levels:

a)     a court may impose a fine up to $50,000 and/or imprisonment

b)     up to 1 year for any person who commits a criminal offense.


3.17           If a person commits an offense under false pretenses the fine may increase to $100,000 and/or imprisonment of not more than 5 years. 


3.18           If a person commits an offense with intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a court may fine the person up to $250,000 and/or imprison the person for not more than 10 years.


4.         Special Problems


4.1             Legal concerns:

        A covered entity may loose the benefit of communicating with its counsel because attorney/client privilege may be impaired by the regulations.

        Covered entities ought to be able to get independent advice from counsel without subjecting the protected communications to DHHS scrutiny. 


4.2             Employee considerations:

        Any person, including an employee, may report an allegation of non-compliance to the federal government. 

        Covered entities must protect employees from retaliatory action of people considered to be whistle blowers. 

        A covered entity cannot fire, demote, discriminate, or otherwise treat adversely any employee for filing a complaint with OCR. 


4.3             Patients' standing right to sue -  HIPAA does not provide a private cause of action specifically by individuals who have suffered harm as a result of a covered entity's failure to comply with HIPAA. 


4.4             Nothing within HIPAA prohibits or preempts aggrieved individuals from filing a state law claim against a covered entity for its non-compliance and resulting harm.  QUERY:  Since the state law is not preempted but supposing there is a conflict?  For example, see 42 Pa. C.S.A. 6155(b) dealing with right of records and supplying a specific amount which a provider can charge.  Compare with paragraph 13, infra.


4.5             Since Pennsylvania does provide for a cause of action resulting from disclosure of medical records, the HIPAA regulations may simply be evidence of the standard of care or even lead to pro se finding of violation of state law. 


4.6             In the privacy rules preamble DHSS states that the rule is not intended to preempt any state law allowing individuals private cause of action, 65 FR 82506, APP V, on-line at


4.7             Many industry groups sought to exclude private right of action.  The question is whether the courts will imply a private right of action and while the federal courts have been reluctant to do that generally, the result may be different here given the specific desire to protect the privacy of patients.  State licensing boards may use HIPAA privacy and security obligations as the standard of care in assessing whether a covered entity has breached state law obligations related to preserving the confidentiality of patient information. 


5.         State Law Considerations


5.1             Entitlement under Pennsylvania law to medical records is found at 42 Pa. C.S. 6155(b) and the Pennsylvania Patient Bill of Rights found at 103.22 of the Pennsylvania Code.  Specific charges are set forth by Pennsylvania law.


5.2             See Reem Haddad v. Gopal, 787 A.2d 795 (Pa. Super. 2001).  Finding a private cause of action for breach of confidentiality with respect to handling of medical records.  Prior case law was distinguished.  When the causes of action have been recognized, it is in cases where there have been extra-judicial disclosures of confidential information or in cases, such as those involving custody, where the plaintiff's physical condition has not been an issue.  Party or spouse may waive the protection.  "Doctors have an obligation to their patients to keep communications, diagnoses, and treatment completely confidential.  Especially when, as in this case, sexually transmitted disease is an issue.  Pennsylvania courts, in fact, recognize loathsome disease in defamation suits is actionable per se without special proof of harm because of their highly sensitive nature."  At p. 12.  Further, "patients, further, are aware of the promises of discretion contained in the Hippocratic Oath and must be able to rely on those promises."  At p. 6.


5.3             42 Pa. C.S. 6155 (2002) - rights of patients


5.4             42 Pa. C.S. 6152 (2002) - subpoena of records


5.5             28 Pa. Code 103.22 - Implementation - Patient Bill of Rights


5.6             40 P.S. 991.2136 (2002) - Insurance Companies, Quality Health Care Accountability and Protection information for enrollees


5.7             40 P.S. 991.2152 (2002) - Insurance Companies - Quality Health Care Accountability and Protection Utilization Review


5.8             40 P.S. 1303.906 (2002) - Medical Care Availability and Reduction of Error (Mcare) Act - Administrative Provisions, Confidentiality Agreements


5.9             50 P.S. 7111 (2002) - Mental Health Procedures, Confidentiality of Records


5.10         42 Pa. C.S. 5944 (2002) - Confidential Communications to Psychiatrists or Licensed Psychologists


5.11         42 Pa. C.S. 5929 (2002) - Physicians Not to Disclose Information


5.12         23 Pa. C.S. 6339 - Domestic Relations - Abuse of Family, Child Protective Services, Confidentiality of Reports


5.13         22 P.S. 876-7 - Children Infant Hearing Education, Assessment, Reporting and Referral - Confidentiality of Records


5.14         35 P.S. 7607 (2002) - Health and Safety - Confidentiality of HIV-Related Information Act - Confidentiality of Records


5.15         40 P.S. 626.8 (2002) - Life and Endowment Insurance and Annuities Viatical Settlements Act - General Rules


5.16         40 P.S. 626.10 - Insurance Companies - Life and Endowment Insurance and Annuities Viatical Settlements Act - Fraud and Prevention Control


5.17         62 P.S. 1404 (2002) - Special Recipient Participation Requirements


5.18         71 P.S. 1690.108 (2002) - Governor's Council on Drug and Alcohol Abuse - Confidentiality of Records


6.         Commonly Asked Questions:


6.1             Is an ordinary plaintiff's law firm covered under the Act?  In my opinion, no.


6.2             What about if my firm has agreements with insurance companies Blue Cross/Blue Shield or whomever to collect subrogation liens or reimbursement?  The answer certainly can be yes, since then you may be a "business associate" of a "covered entity." 


6.3             Is there anything I should have clients sign just to cover myself if I do plaintiffs' work and do not have any kind of agreement on liens or subrogation?  Yes, it would be prudent.  We utilize a general disclosure information form under HIPAA so the clients will know we are getting their records and what we will be doing with them.


6.4             Need I change my authorizations?  Again, it would be prudent, since the entities you receive records from are going to want you to use an authorization that satisfies the Act.  Some forms have been posted, and we have our own - a short form and a long form.


6.5             If I am a defense firm and I am going to be sending records out to our experts or others that are the plaintiff's, must I inform the plaintiff or his attorney?  As the rules and regulations are written now, it seems that the answer must be yes, although more research in this area will be required.


Click here to return to forms

Click here to return to HIPAA home page

Click here to register

Back to PaTLA