The U.S. Department of Health and Human Services (HHS) recently adopted the final enforcement rule for “HIPAA,” the Health Insurance Portability and Accountability Act of 1996, a federal statute that deals with “protected health information.” The final rule, which was effective March 16, 2006, clarifies the governmental investigation process, bases for liability, and determination of civil penalties.

A violation of HIPAA, or knowledge of a violation, by an employee or an independent contractor within the employer’s control can be imputed to the employer. And the fines for violating HIPAA are stiff. Organizations can face a $100 daily penalty for each individual violation, up to $25,000 per year. HHS may also require corrective action plans to resolve government enforcement actions.

If your organization is covered by HIPAA, it is crucial to have polices, procedures, training programs, and reporting mechanisms in place so that potential violations are avoided, or, if they occur, are promptly identified and addressed. We can assist in putting these processes in place or if you have other questions about HIPAA. The HHS also has a helpful website at www.os.dhhs.gov/ocr/hipaa.

On a related point, the Michigan Court of Appeals held in a recent opinion, Belote v. Strange, that HIPAA — not Michigan law — governs the disclosure of a plaintiff’s protected health information during the course of a lawsuit. When defense counsel obtains such information in violation of HIPAA, the trial court can exclude that information from evidence. This exclusionary rule could have major ramifications in employment cases, where an employee’s medical or psychiatric history is often a central issue. Employers and their counsel should take note of this important development.

William B. Forrest III

Back to the Top