PRIVACYnotes

Civil Monetary Penalties for HIPAA Enforcement Rule
 

Home | Privacy Links | Opt-Out

   



Archive

PRIVACYnotes #1

PRIVACYnotes #2
PRIVACYnotes #3
PRIVACYnotes #4
PRIVACYnotes #5
PRIVACYnotes #6
PRIVACYnotes #7
PRIVACYnotes #8
PRIVACYnotes #9
PRIVACYnotes #10
PRIVACYnotes #11
PRIVACYnotes #12
PRIVACYnotes #13
PRIVACYnotes #14
PRIVACYnotes #15
PRIVACYnotes #16
PRIVACYnotes #17
PRIVACYnotes #18
PRIVACYnotes #19
PRIVACYnotes #20
PRIVACYnotes #21
PRIVACYnotes #22
PRIVACYnotes #23
PRIVACYnotes #24
PRIVACYnotes #25
PRIVACYnotes #26
PRIVACYnotes #27
PRIVACYnotes #28
PRIVACYnotes #29
PRIVACYnotes #30
PRIVACYnotes #31
PRIVACYnotes #32
PRIVACYnotes #33
PRIVACYnotes #34
PRIVACYnotes #35
PRIVACYnotes #36
PRIVACYnotes #37
PRIVACYnotes #38
PRIVACYnotes #39
PRIVACYnotes #40
PRIVACYnotes #41
HIPAA

Civil Monetary Penalties for HIPAA Enforcement Rule


On Monday, June 16, 2003 the Health Privacy Project filed comments on the Interim Final Rule on Civil Monetary Penalties for HIPAA.

The full text of HPP’s comments is available at HPP’s website.

This interim final rule is HHS’ first installment of a bigger rule that the Department intends to promulgate in the future for the enforcement of HIPAA, called the "Enforcement Rule." The Enforcement Rule will set procedural and substantive requirements for the imposition of civil monetary penalties.

In this first installment, HHS has set out to inform regulated entities about their approach to enforcement and to inform them of a few basic procedural rules that will govern enforcement. All of the substantive issues about enforcement - such as what will actually constitute a violation, and how will penalties be determined - and much of the more complicated procedural questions will be addressed in the bigger "Enforcement Rule" that is forthcoming.

The Health Privacy Project’s comments emphasized two points. First, HPP is concerned with the Secretary of Health and Human Services' general approach to enforcement of the privacy rules, which is to primarily respond to complaints about possible violations of the rules instead of actively monitoring entities covered by the rules to ensure compliance.

In our comments we are asking for the routine monitoring of covered entities for compliance, for an annual report by HHS accounting for enforcement activities and for better education of the public regarding its rights, if HHS is to rely on the public's complaints for enforcement.

Second, HPP is also very concerned by the absence in this interim final rule of any role in the enforcement process for the individual whose privacy was violated by the unlawful use or disclosure of his or her sensitive medical information. Under HIPAA, consumers do not have a private right of action; instead the Secretary of Health and Human Services can initiate an investigation and enforcement process.

We suggest ways in which the role of the individual harmed can be strengthened in the enforcement proceedings, including notification of the individual and acceptance of testimony or written statements by the individual in the proceedings.

For further information please contact
Katharina Kopp
Program Manager
Health Privacy Project
at 202-721 5614 or
kkopp@healthprivacy.org.