HIPAA Compliance

The various HIPAA regulations will take effect at different times depending on when the final rules are adopted for each. Generally speaking, affected entities have until October 16, 2003 to comply. (See the detailed chart below)

Health care providers, clearinghouses, and their business associates have significant changes that must be put into place prior to the compliance dates stated in the HIPAA regulations.

We recommend completing a thorough HIPAA Readiness assessment as soon as possible, to meet the upcoming deadline of October 16, 2003.

April 14, 2003: Compliance testing commences for Privacy standards for all covered entities except small health plans.

October 16, 2003: Compliance deadline for Transaction and Code Sets.

April 14, 2004: Compliance deadline for Privacy standards for small health plans with less than $5 million in annual receipts.

Enforcement
One of the first promises made by the DHHS Secretary Tommy Thompson after the publication of the Final Rule on the Standards for Privacy of Individually Identifiable Health Information (the "Privacy Rule") was that HHS would quickly follow up with guidance on the interpretation of the rule. The first guidance document (the "July 6 Guidance") was published by the HHS Office of Civil Rights ("OCR"), the primary Privacy Rule enforcement office, on July 6, 2001.

There has been some concern expressed that DHHS would require a dramatic, very expensive re-engineering of health care processes, procedures and facilities. Some of these expressions of concern may have been politically motivated, but there have also been many legitimate questions.

The July 6 Guidance should serve to allay some of these concerns, as it suggests there will be amendments to the Privacy Rule which will accommodate a number of common situations in realistic ways which recognize the need to accommodate established practices. It also provides some interpretation of the ways the Privacy Rule will be officially interpreted in some situations, which may not result in amendments to the regulation but may be helpful in resolving ambiguities and filling gaps in the application of the rule.

Penalties for non-compliance
Organizations that fail to comply with HIPAA can incur civil penalties that include $100 for each violation, up to a maximum of $25,000 for violating a particular requirement of the law. Keep in mind that a global release of information on multiple employees would likely trigger the $100 penalty for each employee - so it won't be difficult to hit the maximum penalty with a single incident.

But civil penalties under HIPAA are just the beginning. The law also stipulates criminal penalties, ranging from $50,000 and one year in federal prison for wrongful disclosure, up to $250,000 and ten years in prison for a deliberate offense with intent to sell protected health information. This may be the first law in U.S. history where handing out information can land you in jail. Recognizing that the sweeping changes required by HIPAA will take time to implement, the law sets an effective date for compliance - and penalties.

Criminal and civil penalties aside, bad press and litigation could be more damaging.

All information provided in this web site is believed to be accurate and up to date; however, the Geomar Computers assumes no responsibility for the use of this information. This web site links to web sites maintained by other entities. Reasonable precautions are taken to link only to web sites which are appropriate, accurate and maintained by reputable organizations. However, those web pages are not under Geomar Computers control. Geomar Computers is not responsible for the information or opinions expressed in those linked sites. The recommendations and analyses on this site are intended simply to provide assistance and guidance. They may not be relied upon as authority for compliance with legal requirements, nor as a source of legal advice. It is up to you to seek out legal counsel and official government documentation to protect your rights.