A Legal Guide to PRIVACY AND DATA SECURITY 2024

covered entities. There are additional exemptions from the restrictions on disclosure of PHI for a number of specified reasons, including for law enforcement purposes, judicial and administrative proceedings, research, or to avert a serious public health threat. Note, though, that these exemptions are subject to very specific provisions before they can be applied. For example, research involving PHI can occur pursuant to a qualifying waiver of patient authorization by a Institutional Review Board but the fact of an activity meeting the definition of “research” is not on its own sufficient to permit the disclosure. Enforcement. HIPAA is enforced by the Office of Civil Rights within HHS. This office can initiate investigations into covered entities’ information handling practices to determine whether they are complying with the HIPAA Privacy Rule. Individuals also have the right to file complaints with HHS about privacy violations. In addition, the HITECH Act gave state attorneys general the right to initiate enforcement actions under HIPAA. HIPAA does not include a right for individuals to bring private actions . Civil and Criminal Liability. A person who violates HIPAA due to willful neglect and does not correct the violation within 30 days can be fined $50,000 per violation. Penalties are mandatory when willful neglect can be shown. Potential criminal penalties for HIPAA violations include fines of $50,000 to $250,000 and up to ten (10) years in prison. Criminal enforcement via the Department of Justice and civil enforcement occurs through the OCR. As noted above, state attorneys general can now also bring HIPAA actions in accordance with the HITECH Act. Continued Developments . HIPAA continues to evolve. This can be seen in variety of ways, including a series of proposed rulemakings that would modify various parts of the regulations discussed above. For example, in November 2022 HHS and the Substance Abuse and Mental Health Services Administration issued a proposed rulemaking related to the confidentiality of substance use disorder records pursuant to a statutory directive to align certain parts of HIPAA and the federal substance use disorder regulations (known as “Part 2” because they are

22

Made with FlippingBook - Online Brochure Maker