Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
33 stateâs and HIPAAâs requirements (quotation marks omitted).304 The only difference between HIPAA and the Minnesota statute is the remedy that each provides, not the requirements that each law imposes.305 Therefore, the state statute was not contrary to HIPAA and was in fact âsup- porting at least one of HIPAAâs goals by establish- ing another disincentive to wrongfully disclose a patientâs health care record.â306 In Smith v. American Home Products Corpora- tion307 an interesting issue presented was whether HIPAAâs requirements conflicted with and pre- empted common law as established in 1985 in Stempler v. Speidell.308 In Stempler, the New Jer- sey Supreme Court dealt with whether ex parte interviews between defense counsel and a plain- tiffâs treating physician are permissible. The Stempler court held that such ex parte interviews are permissible if the plaintiff consents; the de- fense counsel gives the plaintiffâs counsel reason- able notice of the time and place of the interviews; the defense counsel provides the participating physician with a description of the expected scope of the interview; and the defense counselâs request clearly indicates to the participating physician that the interview is voluntary.309 In Smith, the court agreed that HIPAA did not preempt the in- formal discovery allowed by Stempler. However, because the safeguards for the disclosure authori- zation permitted in the Stempler case were less stringent than HIPAA, the federal law preempted state law to some extent. That is, the court held that the authorization had to be rewritten to com- ply with HIPAA.310 There are cases in which the courts have held that because HIPAA is more stringent than a par- ticular state privacy law, HIPAA preempted the state law.311 Law v. Zuckerman312 involved a 304 Id. (quoting 45 C.F.R. § 160.202). 305 Id. 306 Id. at 50. 307 372 N. J. Super. 105, 855 A.2d 608 (2003). 308 100 N.J. 368, 495 A.2d 857 (1985). 309 See discussion in Smith, 855 A. 2d at 612. 310 Id. at 624. 311 Bayne v. Provost, 359 F. Supp. 2d 234 (N.D. N.Y. 2005) (on the issue of whether defendants were re- stricted from conducting ex parte interview of plaintiffâs nurse practitioner, HIPAA held to preempt New York law because HIPAA was more stringent than New York law); Moreland v. Austin, 284 Ga. 730, 733, 670 S.E.2d 68, 71 (2008) (holding that âHIPAA preempts Georgia law with regard to ex parte communications between defense counsel and plaintiffâs prior treating physicians Maryland law that also regulated ex parte com- munications between a lawyer and a treating phy- sician of an adverse party who has placed his or her medical condition at issue.313 The court held that the mandatory disclosure required by Mary- land law was less protective than HIPAA of pa- tient privacy and control of the patientâs medical records. Because the Maryland law was less strin- gent, HIPAA preempted the Maryland law.314 In United States, ex. Rel. Stewart v. Louisiana Clinic315 a federal court held that a state law re- quiring either patient consent or a court order for the disclosure of a patientâs records was less strin- gent than HIPAAâs regulations. [B]ecauseâ¦Louisiana law does not address the form, sub- stance, or the need for express legal permission from an individual, as required by 45 C.F.R. § 160.202 for the ex- ception to applyâ¦the Louisiana statute provides a way of negating the need for such permission. In other words, al- though the individual patient may attend the contradic- tory hearing, the Louisiana provision states that the court shall issue an order for disclosure (despite the pa- tientâs lack of consent), if the court finds that release of the information is proper (emphasis added).316 Because the Louisiana law was less stringent than the HIPAA regulations, HIPAA preempted the Louisiana law.317 None of the transit agencies having health in- formation on patrons was aware of an opinion by a court (federal, state, city, or county) in which an issue was whether HIPAA preempted a state law on the use or disclosure of PHI.318 XII. THE ENFORCEMENT RULE: CIVIL AND CRIMINAL PENALTIES UNDER HIPAA A. Introduction Transit agencies are not covered entities; how- ever, some transit agencies have entered into con- because HIPAA affords patients more control over their medical records when it comes to informal contacts be- tween litigants and physiciansâ); Allen v. Wright, 282 Ga. 9, 14, 644 S.E. 2d 814, 818 (2007) (holding that HIPAA preempted OCGA § 9-11-9.2 because Georgia law âcannot authorize disclosure based upon less strin- gent requirements than those mandated by the federal lawâ). 312 307 F. Supp. 2d 705 (D. Md. 2004). 313 Id. at 709. 314 Id. at 709. 315 2002 U.S. DIST. LEXIS 24062 at *1 (E.D. La. 2002). 316 Id. at 5. 317 Id. 318 One agency did not respond to the question.
34 tracts as business associates or subcontractors of business associates of covered entities, contracts in which they may have agreed to comply with HIPAA. However, it is not clear that a transit agency meets HIPAAâs definition of a business associate. Thus, there may be an argument that even if a transit agency has agreed to comply with HIPAA and could be sued by a covered entity for breach of the agreement, the transit agency still would not be subject to HIPAAâs Enforcement Rule, because transit agencies do not meet HIPAAâs definition of a business associate. Inasmuch as there is some lack of clarity on whether HIPAA applies to transit agencies, this report discusses briefly the civil and criminal pen- alties authorized by HIPAA. HHSâs January 2013 final rule in response to the HITECH amend- ments strengthened the Enforcement Rule for vio- lations of HIPAA.319 B. Complaints and Civil Penalties HHSâs Office of Civil Rights (OCR) investigates complaints of violations of the Privacy Rule and the Security Rule. Anyone who believes that a covered entity or a business associate of one has violated or is violating a HIPAA provision has 180 days within which to file a complaint with the Secretary of HHS.320 Affirmative defenses are ad- dressed in § 160.410 of the regulations. If the Sec- retary determines that there is noncompliance, the Secretary may attempt to resolve the matter by âinformal means.â321 The Secretary is author- ized to impose a CMP on a covered entity or a business associate.322 It is possible for willful vio- lations of HIPAA regulations to be turned over to the Justice Department for criminal prosecu- tion.323 Under the enforcement provisions, a covered entity may be liable for an act or omission of any 319 U.S. DEPâT OF JUSTICE, OFFICE OF LEGAL COUNSEL, SCOPE OF ENFORCEMENT UNDER 42 U.S.C. § 1320D-6 (2005), available at http://www.justice.gov/olc/hipaa_final.htm. 320 45 C.F.R. §§ 160.306(a) and (b)(3) (2013). The 180- day period begins âwhen the complainant knew or should have known that the act or omission complained of occurred, unless this time limit is waived by the Sec- retary for good cause shown.â 45 C.F.R. § 160.306(b)(3) (2013). 321 45 C.F.R. § 160.312(a) (2013). 322 45 C.F.R. § 160.402(a) (2013). 323 Jack Brill, Giving HIPAA Enforcement Room to Grow: Why There Should not (yet) be a Private Cause of Action, 83 NOTRE DAME L. REV. 2105, 2116 (2008), here- inafter referred to as âBrill.â of its agents, including a member of its workforce or a business associate, acting within the scope of its agency.324 Similarly, a business associate may be liable for a CMP for an act or omission of any of its agents, including a member of its workforce or a subcontractor, acting within the scope of its agency.325 HITECH established four tiers of pen- alties in increasing amounts based on the level of culpability, an approach that may make the as- sessment of significant penalties more likely than prior to HITECH.326 In all cases, the maximum penalty that may be assessed is $50,000 per viola- tion with a cap of $1.5 million for identical viola- tions in a calendar year.327 As of February 18, 2009, the Secretary may not impose a CMP: 1. In an amount of less than $100 or more than $50,000 for a violation in which it is established that a covered entity or business associate did not know and by exercising reasonable diligence would not have known that the covered entity or business associate committed a violation;328 2. In an amount of less than $1,000 or more than $50,000 for a violation in which it is estab- lished that a violation was due to reasonable cause and not to willful neglect;329 3. In an amount of less than $10,000 or more than $50,000 for a violation in which it is estab- lished that a violation was due to willful neglect and was corrected during the 30-day period be- ginning on the first date a covered entity or busi- ness associate liable for the penalty knew or by exercising reasonable diligence would have known that a violation had occurred;330 or 324 45 C.F.R. § 160.402(c)(1) (2013). 325 45 C.F.R. § 160.402(c)(2) (2013). Under § 160.402(c)(1) (2013) a covered entity that is a member of an affiliated covered entity may be jointly and sever- ally liable for a CMP âbased on an act or omission of the affiliated covered entityâ¦.â See also 45 C.F.R. § 160.402(b)(2) (2013) (including an exception to liability when it is established that another member of the af- filiated covered entity was responsible for the violation). See also 78 Fed. Reg. 5580. 326 78 Fed. Reg. 5577, 5580 (citing HITECH, § 13410(d) that revised § 1176(a) of the Social Security Act); see Andresen, supra note 60, at 3. 327 45 C.F.R. §§ 160.404(b)(2)(i)(B), (ii)(B), (iii)(B), and (iv)(B) (2013). See Andresen, supra note 60, at 3. 328 45 C.F.R. § 160.404(b)(2)(i)(A) (2013); 78 Fed. Reg. 5582. See also 45 C.F.R. § 404(a) for penalties applica- ble to violations prior to Feb. 18, 2009. 329 45 C.F.R. § 160.404(b)(2)(ii)(A) (2013). 330 45 C.F.R. § 160.404(b)(2)(iii)(A) (2103).