HIPAA is a law which allows companies, doctors, employers and insurance companies to exchange private health information in order to facilitate payment for medical care and allow the health care industry to work more efficiently with health insurance entities. The implications for this allow employers (and their employees) to have access to health information; mistreatment of this information carries administrative, civil and criminal penalties.
Intent
One intent of HIPAA is to devise standards for financial and administrative transactions to permit efficient electronic exchange of administrative health information. HIPAA also charges the Department of Health and Human Services to draft regulations "with respect to the privacy of individually identifiable health information."
Employment Decisions
Employers are expressly forbidden under HIPAA regulations from using PHI (personal health information) to make employment decisions. HIPAA only allows for release of PHI for purposes of paying an insurance claim, to provide medically-indicated treatment and in connection with certain "health care operations" unless the employee specifically allows disclosures for other reasons.
Retaliation
Under HIPAA provisions, employers cannot retaliate against a former employee who has complained that his employer violated the release of PHI rules. The regulations, as written in HIPAA, forbid any such retaliation; however, the law does not establish any specific penalties for the employer or any "private right of action." The only recourse a former employee has is to file a complaint with the OCR (above) if he believes his privacy rights were violated. The former employee must file his complaint in writing "within 180 days of the date the complainant knew or should have known of the violation."
Criminal Penalties
An employee who obtains the PHI of another employee or who discloses this personal information can receive a fine up to $50,000, placed in prison for one year, or both. If an employee "knowingly" violates HIPAA can be imprisoned for five years, fined up to $100,000 or both. A person who "knowingly" violates HIPAA with the intent of selling the PHI or using this information for his commercial advantage can be imprisoned for 10 years, fined up to $250,000, or both.
Civil Penalties
Civil penalties can be imposed for violations of HIPAA. The Office of Civil Rights can impose a penalty of up to $100 for each violation on any "person" (employee) who violates HIPAA; the maximum fine is $25,000 for separate incidents of the same requirement or violation. However, these penalties cannot be imposed if the employee liable for the violations did not know he was violating HIPAA and would not have known of the violation despite exercising reasonable diligence, or, if the compliance failure takes place for other than willful neglect and if the failure is rectified within 30 days from when the responsible employee knew (or should have known) of the failure to comply with HIPAA.
Tags: health information, former employee, have known, years fined both, file complaint, fined both, have known violation