December 21, 2001

Brace Yourself For The New Privacy Regulations

Holland & Knight Newsletter
Shannon Britton Hartsfield

As one of his last major official acts, President Clinton is issuing today a sweeping set of regulations designed to protect the privacy of patient medical information. These new rules, implementing portions of the Health Insurance Portability and Accountability Act (HIPAA), will dramatically affect a multitude of entities that handle medical information, including health care providers, health plans, employers, and accountants, managers, lawyers, billing companies and other entities that provide services to health care providers. The government estimates that these privacy reforms will cost the health care industry $17.6 billion over the next 10 years.

The final rules significantly expand the scope of the proposed rules originally issued in November of 1999. Unlike the proposed rules, which applied primarily to electronic records, these new rules impose privacy standards on all individually identifiable patient information, including paper records and oral communications. Individually identifiable information consists of any information, such as a name, address, medical record number, drivers license number, or Social Security number that would enable one person to identify another person. A patient consent must be obtained for even routine disclosure of information, which is a significant expansion from the proposed rule.

Severe penalties could apply for entities that do not come into compliance with the new privacy rules within the next two years. HIPAA's criminal penalties apply to those who knowingly and in violation of HIPAA's rules obtain individually identifiable health information relating to an individual, or disclose individually identifiable health information to another person. Depending on the specific nature of the offense, penalties could range from $100 to $250,000, and could include imprisonment for up to 10 years.

The clock is ticking for health providers and other affected entities to come into compliance. Businesses and individuals that handle patient information should determine whether and to what extent the rules will impact their operations. They must also formulate a plan to institute policies and procedures to ensure that they will comply with the rules as soon as possible.

Latest Insights