HIPAA's Privacy Regulations: Increased Privacy Comes at a Cost

Deeb Salem, MD


September 24, 2003

In This Article

Health Plans and Providers

The privacy rule also requires health plans, pharmacies, doctors, and other "covered entities" to establish policies and procedures to protect the confidentiality of protected health information about their patients. These requirements are flexible to allow different covered entities to implement them, as appropriate, for their businesses or practices. Covered entities must provide all of the protections for patients described above, such as providing a notice of their privacy practices and limiting the use and disclosure of information as required under the rule.

In addition, covered entities must take some additional steps to protect patient privacy:


  • Develop written privacy procedures. The rule requires covered entities to have written privacy procedures, including a description of the staff members who have access to protected information, how the information will be used, and when the information can be disclosed. Covered entities generally must take steps to ensure that any business associates who have access to protected information agree to the same limitations on the use and disclosure of that information.

  • Designate an employee training and privacy officer. Covered entities must train their employees in their privacy procedures and must designate an individual to be responsible for ensuring that the procedures are followed. If covered entities learn that an employee has failed to follow these procedures, appropriate disciplinary action must be taken.

  • Assign public responsibilities. In limited circumstances, the final rule permits -- but does not require -- covered entities to continue certain existing disclosures of health information for specific public responsibilities. These permitted disclosures include: emergency circumstances; identification of the body of a deceased person or the cause of death; public health needs; research that involves limited data or that has been independently approved by an Institutional Review Board or privacy board; oversight of the healthcare system; judicial and administrative proceedings; limited law enforcement activities; and activities related to national defense and security. The privacy rule generally establishes new safeguards and limits on these disclosures. If no other law requires disclosures in these situations, covered entities can continue to use their professional judgment in deciding whether to make such disclosures based on their own policies and ethical principles.

  • Impose equivalent requirements for government. The provisions of the final rule generally apply equally to private and public sector covered entities. For example, private hospitals and government-run hospitals covered by the rule have to comply with the full range of requirements.

Failure to adhere to the HIPAA regulations carries with it the risk of both civil and criminal penalties. Monetary penalties can be levied at up to $25,000 per year for each violation and criminal penalties can be imposed for certain actions, such as knowingly obtaining protected health information in violation of the law. For the most serious infractions, such as knowingly selling patients' health information, HHS can levy up to $250,000 in fines and up to 10 years in prison.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.