Can you please shed some light on whether sanctions for noncompliance will be leveled against the agency, the employer, or the employee?
HIPAA Weekly Advisor, July 12, 2004
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
The authority for administering and enforcing compliance with the HIPAA privacy rule has been delegated to the Department of Health and Human Services (HHS) Office for Civil Rights. "Enforcement activities will focus on obtaining voluntary compliance through technical assistance. The process will be primarily complaint-driven and will consist of progressive steps that will provide opportunities to demonstrate compliance or submit a corrective action plan," according to the October 15, 2002 HHS press release announcing assignment of enforcement responsibility to CMS.
The HIPAA privacy rule directly applies to "covered entities," which include health plans, healthcare clearinghouses, and healthcare providers who transmit any health information in electronic form in connection with a transaction covered by the Privacy Standards (such as healthcare payments, remittance advice, claims status, coordination of benefits, etc.).
The Secretary of HHS may impose civil money penalties against any covered entity who violates a requirement of the privacy rule. These civil money penalties may not be imposed against third parties. As a result, an employer would not be subject to civil money penalties due to it not being a covered entity. However, the employer's health plan or insurance company or other entity defined by the privacy rule as a "health plan," which is a covered entity, is subject to the penalties for violating the requirements of the privacy rule.
Editor's note: This question answered by Cheryl S. Camin, JD, MPH, an associate in the Corporate/Health Law Practice Group of Gardere Wynne Sewell LLP in Dallas, Texas.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- HIPAA Q&A: Level of encryption needed for email
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- CMS has reformulated payments for some bilateral procedures
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q&A: Follow CMS' coding guidelines when using modifier -25
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched