HR Management & Compliance

Enforcement: HIPAA in 2007; What Health Care Employers Need to Know

As most employers are
aware, the Health Insurance Portability and Accountability Act (HIPAA)
established national privacy and security standards for health care providers,
health plans, and health care entities. Since HIPAA’s enactment in 1996, these
covered employers have struggled to achieve compliance with the rules. While
enforcement has so far been limited, this may soon change as recent
developments indicate increased scrutiny and growing risks to covered employers
if they don’t comply. Here, we discuss HIPAA litigation and what California employers
need to know.


First Case Goes to Trial

Significantly, 2007
marked the first year in which a case brought under HIPAA went to trial.
1 A Florida jury found
Fernando Ferrer, Jr., the owner of a health care administration company, guilty
of wrongful disclosure of individually identifiable health information,
aggravated identity theft, computer fraud, and conspiracy to defraud the
federal government. With the help of an employee who was his cousin, Ferrer
stole more than 1,100 patients’ personal data, including their names, birth dates,
Social Security numbers, and Medicare numbers and addresses. Ferrer then used
the misappropriated information to submit approximately $7 million of
fraudulent Medicare claims. He was sentenced to seven years in jail and forced
to pay $2.5 million.


State Courts Look to
HIPAA for Guidance

Although private
individuals cannot directly recover damages under HIPAA, state courts deciding
state privacy claims have been following the standards set forth in this law.


In North Carolina, a psychiatric patient sued
for invasion of privacy and infliction of emotional distress, alleging that a
psychiatrist improperly accessed and disseminated her health information by
permitting an office manager to use her medical records access code, in
violation of hospital rules and HIPAA. A trial court threw out the case, saying
that HIPAA does not allow a private cause of action. However, the appeals court
reversed this ruling and allowed the patient’s case to go forward based on
HIPAA’s standard of care for protecting medical records.


Similarly, in an Illinois lawsuit, a
patient alleged that after she had a blood test at a hospital, the phlebotomist
who drew the blood later revealed in a social setting that the patient was
pregnant. The patient alleged breach of confidentiality, invasion of privacy,
and infliction of emotional distress against both the phlebotomist and the
hospital on the grounds that the hospital was liable for its employees’
actions. The Illinois Supreme Court relied on evidence that the hospital provided
HIPAA training to the phlebotomist to defeat the patient’s claims against the
hospital, reasoning that the phlebotomist’s disclosure of patient information was
not the kind of conduct she was hired to perform and not attributable to the


These cases would appear
to indicate that state courts are increasingly willing to look to HIPAA for guidance
in deciding state privacy lawsuits concerning health care matters.


Join us this fall in San Francisco for the California Employment Law Update conference, a 3-day event that will teach you everything you need to know about new laws and regulations, and your compliance obligations, for the year ahead—it’s one-stop shopping at its best.


A California Case

Although the California state courts have not yet decided a HIPAA
case, the U.S. Ninth Circuit Court of Appeals, which covers California,
recently addressed a HIPAA issue arising out of a federal California court. The court ruled that even
though HIPAA limits the amount a covered entity can charge an individual for copies
of his or her medical records to a reasonable cost-based fee, it does not limit
the amount an entity can charge the individual’s lawyers or other parties seeking
the same records on the individual’s behalf.


NPI Deadline Extended

May 23, 2007, was the
deadline for employers covered by HIPAA to provide a National Provider
Identifier (NPI) on transactions in which a health care provider’s identifier
is required. However, after large numbers of health care providers reported
that they would not be ready to meet that deadline, the Centers for Medicare and
Medicaid Services granted a 12-month grace period to those organizations that
could demonstrate they had made efforts to comply with the rule.


Enforcement Statistics

Earlier this year, the
U.S. Department of Health and Human Services (HHS), the agency charged with enforcing
HIPAA, revealed that it has investigated and closed almost 4,500 cases by
mandating changes in privacy practices or imposing corrective action on health care
providers, indicating that enforcement is under way. You can access the
information by visiting the HHS website at


Effect on California Employers

All of these
developments indicate that it is only a matter of time before California employers begin encountering
HIPAA litigation. Courts’ willingness to apply HIPAA standards to privacy cases
and the posting of enforcement statistics on the HHS website are strong signs
that regular enforcement is on the horizon. It is therefore in the best
interests of all California
health care employers to ensure that they have a compliance plan and that their
policies and procedures comply with the HIPAA regulations. California health care providers should also
ensure that compliance with the NPI rule is achieved by May 23, 2008.



1 United States v. Ferrer,
U.S. District Court (S.D. Fla.) No. 06-60261
CR-COHN, 2006

2 Acosta v. Byrum, N.C.
Court of Appeals No. COA06-106, 2006

3 Bagent v. Blessing
Care Corporation, Ill.
Supreme Court No. 102430, 2007

4 Webb v. Smart Document
Solutions, LLC, U.S.C.A. 9th Cir. No. 05-56282, 2007