NEW BILL WOULD EXPAND HIPAA AND APPLY PRIVACY REQUIREMENTS DIRECTLY TO EMPLOYERS

 

In July of 2007, Sen. Patrick Leahy (D-VT) and Sen. Edward Kennedy (D-MA) introduced The Health Information Privacy and Security Act of 2007 – S.1814.  The bill is similar to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and would create new privacy requirements that are applicable directly to employers. The purpose of the bill is to provide Americans with adequate safeguards aimed at keeping their sensitive health information private in an age when such information can so easily be disseminated and misused.

The Health Information Privacy and Security Act of 2007 would, in most cases, prohibit employers, health plans and other entities from disclosing or using a patient’s personal health information without authorization from the patient. For example, Section 202 (Authorizations for Disclosure of Protected Health Information for Treatment and Payment) requires employers, among others, to obtain a signed, written authorization from individuals seeking to disclose protected health information in connection with any treatment, payment, or other purpose. 

Moreover, the bill requires that an individual must be provided with notification in the case of an actual or attempted security breach if there is at least a “reasonable belief” that protected health information concerning him was accessed or acquired during the breach.  Notification of such a breach must be provided within 15 business days of discovery of the breach and must include the categories of protected health information breached.  Furthermore, the bill requires that employers establish technological, administrative, organizational, technical, and physical safeguards to secure protected health information that they create, access, use, or maintain.  It also mandates that employers undertake annual risk assessment, management, and control exercises to prevent, limit, and detect security threats or breaches.

 The bill would also impose criminal and civil penalties for unauthorized disclosure of patient information and direct the U.S. attorney general to debar health entities from federal programs if they are found guilty of a crime under the act.  In addition, individuals would be allowed to sue for damages in cases of unauthorized disclosure and would authorize state attorneys general to sue on behalf of state residents. Finally, whistle-blowers who report violations would be protected from retaliation. 

 Although the bill would not supplant current privacy regulations applicable to entities covered by HIPAA, it would require the U.S. Department of Health and Human Services to revise its privacy rules as needed to make them consistent with the bill. 

***

Jackson & Campbell's Employment Law Practice Group can help companies understand the potential implications of this proposed legislation, including the requirement to establish safeguards to secure protected health information that they maintain as well as the imposition of criminal and civil sanctions for the unauthorized disclosure of same.

 

[1] Although HIPAA applies to health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses, employers not covered under HIPAA are still required to comply with HIPAA’s provisions related to the release of medical information during the course of performing related employer functions.

 

The contents of this Employment Law Alert are intended for general informational purposes only and should not be considered legal advice. Moreover, the mailing of this Employment Law Alert is not intended to create nor does it constitute an attorney-client relationship.

If you wish to not receive these mailings, click here or reply to this message.

 
About Us | Privacy Policy | ©2007 Jackson & Campbell, P.C.