| Transaction
and Code Set Standards
Federal law requires most health plans, clearing
houses, and providers that conduct certain electronic transactions to be compliant
with the Health Insurance Portability and Accountability Act (HIPAA) transaction
and code set standards by October 16, 2002, unless they filed for a one-year extension
on or before October 15, 2002. Small health plans have until October 16, 2003
to comply. Covered entities not in compliance and who have not filed for the extension
may be subject to statutory penalties.
The
Centers for Medicare and Medicaid Services (CMS) is responsible for enforcing
the transaction and code set standards that are required as part of HIPAA. CMS
has created a new office to handle its HIPAA responsibilities, including the establishment
and implementation of enforcement processes. CMS enforcement efforts will focus
on providing technical assistance to covered entities to obtain voluntary compliance.
The
office will report directly to the deputy administrator, Ruben King-Shaw. CMS
has indicated that enforcement actions will be primarily driven by complaints,
and that parties will have the opportunity to demonstrate compliance or submit
corrective action plans.
Privacy
The
Department of Health and Human Services (HHS) Office of Civil Rights (OCR) will
enforce the protection of individually identifiable health information as required
under the privacy protection provisions of HIPAA. Federal law requires compliance
with the privacy protection provisions of HIPAA by April 14, 2003. Small health
plans have until April 14, 2004 to comply
Congress
provided penalties for covered entities that misuse personal health information.
- Civil
penalties.
Health plans, providers and clearinghouses that violate the privacy standards
will be subject to civil liability. Civil money penalties are $100 per violation,
up to $25,000 per person, per year for each requirement or prohibition violated.
- Federal
criminal penalties. Congress
also established criminal penalties for knowingly violating patient privacy. Criminal
penalties are up to $50,000 and one year in prison for obtaining or disclosing
protected health information; up to $100,000 and up to five years in prison for
obtaining protected health information under "false pretenses"; and
up to $250,000 and up to 10 years in prison for obtaining or disclosing protected
health information with the intent to sell, transfer or use it for commercial
advantage, personal gain or malicious harm.
|
