Difference between revisions of "Health Insurance Portability and Accountability Act of 1996"

HIPAA is an act that modernizes the flow of healthcare information in the United States. The Act ensures individuals that the Personally Identifiable Information maintained by the healthcare and healthcare insurance industries shall be protected from fraud and theft. Moreover, it addresses limitations on healthcare insurance coverage.

Text of the law

42 U.S. Code § 1320d - Definitions

For purposes of this part:

(1)Code set The term “code set” means any set of codes used for encoding data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes.

(2)Health care clearinghouse The term “health care clearinghouse” means a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.

(3)Health care provider The term “health care provider” includes a provider of services (as defined in section 1395x(u) of this title), a provider of medical or other health services (as defined in section 1395x(s) of this title), and any other person furnishing health care services or supplies.

(4)Health information The term “health information” means any information, whether oral or recorded in any form or medium, that— ^{Medical and Health, Transactional} "Personal#list" contains a listed "#" character as part of the property label and has therefore been classified as invalid. (A)is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (B)relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. (5)Health planThe term “health plan” means an individual or group plan that provides, or pays the cost of, medical care (as such term is defined in section 300gg–91 of this title). Such term includes the following, and any combination thereof: (A)A group health plan (as defined in section 300gg–91(a) of this title), but only if the plan— (i)has 50 or more participants (as defined in section 1002(7) of title 29); or (ii)is administered by an entity other than the employer who established and maintains the plan. (B)A health insurance issuer (as defined in section 300gg–91(b) of this title). (C)A health maintenance organization (as defined in section 300gg–91(b) of this title). (D)Parts [1] A, B, C, or D of the Medicare program under subchapter XVIII. (E)The medicaid program under subchapter XIX. (F)A Medicare supplemental policy (as defined in section 1395ss(g)(1) of this title). (G)A long-term care policy, including a nursing home fixed indemnity policy (unless the Secretary determines that such a policy does not provide sufficiently comprehensive coverage of a benefit so that the policy should be treated as a health plan). (H)An employee welfare benefit plan or any other arrangement which is established or maintained for the purpose of offering or providing health benefits to the employees of 2 or more employers. (I)The health care program for active military personnel under title 10. (J)The veterans health care program under chapter 17 of title 38. ^Professional "Personal#list" contains a listed "#" character as part of the property label and has therefore been classified as invalid. (K)The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS), as defined in section 1072(4) of title 10. (L)The Indian health service program under the Indian Health Care Improvement Act (25 U.S.C. 1601 et seq.). (M)The Federal Employees Health Benefit Plan under chapter 89 of title 5. (6)Individually identifiable health information The term “individually identifiable health information” means any information, including demographic information collected from an individual, that— ^{Medical and Health, Identifying} "Personal#list" contains a listed "#" character as part of the property label and has therefore been classified as invalid. (A)is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (B)relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and— (i)identifies the individual; or (ii)with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. (7)Standard The term “standard”, when used with reference to a data element of health information or a transaction referred to in section 1320d–2(a)(1) of this title, means any such data element or transaction that meets each of the standards and implementation specifications adopted or established by the Secretary with respect to the data element or transaction under sections 1320d–1 through 1320d–3 of this title.

(8)Standard setting organization The term “standard setting organization” means a standard setting organization accredited by the American National Standards Institute, including the National Council for Prescription Drug Programs, that develops standards for information transactions, data elements, or any other standard that is necessary to, or will facilitate, the implementation of this part.

(9)Operating rules The term “operating rules” means the necessary business rules and guidelines for the electronic exchange of information that are not defined by a standard or its implementation specifications as adopted for purposes of this part.

42 U.S. Code § 1320d–2 - Standards for information transactions and data elements ^{Increased Accessibility}

(a)Standards to enable electronic exchange (1)In general The Secretary shall adopt standards for transactions, and data elements for such transactions, to enable health information to be exchanged electronically, that are appropriate for— (A)the financial and administrative transactions described in paragraph (2); and (B)other financial and administrative transactions determined appropriate by the Secretary, consistent with the goals of improving the operation of the health care system and reducing administrative costs, and subject to the requirements under paragraph (5). (2)TransactionsThe transactions referred to in paragraph (1)(A) are transactions with respect to the following: (A)Health claims or equivalent encounter information. (B)Health claims attachments. (C)Enrollment and disenrollment in a health plan. (D)Eligibility for a health plan. (E)Health care payment and remittance advice. (F)Health plan premium payments. (G)First report of injury. (H)Health claim status. (I)Referral certification and authorization. (J)Electronic funds transfers. (3)Accommodation of specific providers The standards adopted by the Secretary under paragraph (1) shall accommodate the needs of different types of health care providers.

(4)Requirements for financial and administrative transactions (A)In general The standards and associated operating rules adopted by the Secretary shall— (i)to the extent feasible and appropriate, enable determination of an individual’s eligibility and financial responsibility for specific services prior to or at the point of care; (ii)be comprehensive, requiring minimal augmentation by paper or other communications; (iii)provide for timely acknowledgment, response, and status reporting that supports a transparent claims and denial management process (including adjudication and appeals); and (iv)describe all data elements (including reason and remark codes) in unambiguous terms, require that such data elements be required or conditioned upon set values in other fields, and prohibit additional conditions (except where necessary to implement State or Federal law, or to protect against fraud and abuse). (B)Reduction of clerical burden In adopting standards and operating rules for the transactions referred to under paragraph (1), the Secretary shall seek to reduce the number and complexity of forms (including paper and electronic forms) and data entry required by patients and providers.

(5)Consideration of standardization of activities and items (A)In general For purposes of carrying out paragraph (1)(B), the Secretary shall solicit, not later than January 1, 2012, and not less than every 3 years thereafter, input from entities described in subparagraph (B) on— (i)whether there could be greater uniformity in financial and administrative activities and items, as determined appropriate by the Secretary; and (ii)whether such activities should be considered financial and administrative transactions (as described in paragraph (1)(B)) for which the adoption of standards and operating rules would improve the operation of the health care system and reduce administrative costs. (B)Solicitation of input For purposes of subparagraph (A), the Secretary shall seek input from— (i)the National Committee on Vital and Health Statistics, the Health Information Technology Policy Committee, and the Health Information Technology Standards Committee; and (ii)standard setting organizations and stakeholders, as determined appropriate by the Secretary. (b)Unique health identifiers (1)In general The Secretary shall adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and health care provider for use in the health care system. In carrying out the preceding sentence for each health plan and health care provider, the Secretary shall take into account multiple uses for identifiers and multiple locations and specialty classifications for health care providers. ^{Identification, Secondary Use, Aggregation}

(2)Use of identifiers The standards adopted under paragraph (1) shall specify the purposes for which a unique health identifier may be used.

(c)Code sets (1)In general The Secretary shall adopt standards that— (A)select code sets for appropriate data elements for the transactions referred to in subsection (a)(1) from among the code sets that have been developed by private and public entities; or (B)establish code sets for such data elements if no code sets for the data elements have been developed. (2)Distribution The Secretary shall establish efficient and low-cost procedures for distribution (including electronic distribution) of code sets and modifications made to such code sets under section 1320d–3(b) of this title.

(d)Security standards for health information ^{Insecurity, Disclosure}

(1)Security standards The Secretary shall adopt security standards that— (A)take into account— (i)the technical capabilities of record systems used to maintain health information; (ii)the costs of security measures; (iii)the need for training persons who have access to health information; (iv)the value of audit trails in computerized record systems; and (v)the needs and capabilities of small health care providers and rural health care providers (as such providers are defined by the Secretary); and (B)ensure that a health care clearinghouse, if it is part of a larger organization, has policies and security procedures which isolate the activities of the health care clearinghouse with respect to processing information in a manner that prevents unauthorized access to such information by such larger organization. (2)SafeguardsEach person described in section 1320d–1(a) of this title who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards— (A)to ensure the integrity and confidentiality of the information; (B)to protect against any reasonably anticipated— (i)threats or hazards to the security or integrity of the information; and (ii)unauthorized uses or disclosures of the information; and (C)otherwise to ensure compliance with this part by the officers and employees of such person. (e)Electronic signature (1)Standards The Secretary, in coordination with the Secretary of Commerce, shall adopt standards specifying procedures for the electronic transmission and authentication of signatures with respect to the transactions referred to in subsection (a)(1).

(2)Effect of compliance Compliance with the standards adopted under paragraph (1) shall be deemed to satisfy Federal and State statutory requirements for written signatures with respect to the transactions referred to in subsection (a)(1).

(f)Transfer of information among health plans The Secretary shall adopt standards for transferring among health plans appropriate standard data elements needed for the coordination of benefits, the sequential processing of claims, and other data elements for individuals who have more than one health plan.

(g)Operating rules (1)In general The Secretary shall adopt a single set of operating rules for each transaction referred to under subsection (a)(1) with the goal of creating as much uniformity in the implementation of the electronic standards as possible. Such operating rules shall be consensus-based and reflect the necessary business rules affecting health plans and health care providers and the manner in which they operate pursuant to standards issued under Health Insurance Portability and Accountability Act of 1996.

(2)Operating rules developmentIn adopting operating rules under this subsection, the Secretary shall consider recommendations for operating rules developed by a qualified nonprofit entity that meets the following requirements: (A)The entity focuses its mission on administrative simplification. (B)The entity demonstrates a multi-stakeholder and consensus-based process for development of operating rules, including representation by or participation from health plans, health care providers, vendors, relevant Federal agencies, and other standard development organizations. (C)The entity has a public set of guiding principles that ensure the operating rules and process are open and transparent, and supports nondiscrimination and conflict of interest policies that demonstrate a commitment to open, fair, and nondiscriminatory practices. (D)The entity builds on the transaction standards issued under Health Insurance Portability and Accountability Act of 1996. (E)The entity allows for public review and updates of the operating rules. (3)Review and recommendationsThe National Committee on Vital and Health Statistics shall— (A)advise the Secretary as to whether a nonprofit entity meets the requirements under paragraph (2); (B)review the operating rules developed and recommended by such nonprofit entity; (C)determine whether such operating rules represent a consensus view of the health care stakeholders and are consistent with and do not conflict with other existing standards; (D)evaluate whether such operating rules are consistent with electronic standards adopted for health information technology; and (E)submit to the Secretary a recommendation as to whether the Secretary should adopt such operating rules. (4)Implementation (A)In general The Secretary shall adopt operating rules under this subsection, by regulation in accordance with subparagraph (C), following consideration of the operating rules developed by the non-profit entity described in paragraph (2) and the recommendation submitted by the National Committee on Vital and Health Statistics under paragraph (3)(E) and having ensured consultation with providers.

(B)Adoption requirements; effective dates (i)Eligibility for a health plan and health claim status The set of operating rules for eligibility for a health plan and health claim status transactions shall be adopted not later than July 1, 2011, in a manner ensuring that such operating rules are effective not later than January 1, 2013, and may allow for the use of a machine readable identification card.

(ii)Electronic funds transfers and health care payment and remittance adviceThe set of operating rules for electronic funds transfers and health care payment and remittance advice transactions shall— (I)allow for automated reconciliation of the electronic payment with the remittance advice; and (II)be adopted not later than July 1, 2012, in a manner ensuring that such operating rules are effective not later than January 1, 2014. (iii)Health claims or equivalent encounter information, enrollment and disenrollment in a health plan, health plan premium payments, referral certification and authorization The set of operating rules for health claims or equivalent encounter information, enrollment and disenrollment in a health plan, health plan premium payments, and referral certification and authorization transactions shall be adopted not later than July 1, 2014, in a manner ensuring that such operating rules are effective not later than January 1, 2016.

(C)Expedited rulemaking The Secretary shall promulgate an interim final rule applying any standard or operating rule recommended by the National Committee on Vital and Health Statistics pursuant to paragraph (3). The Secretary shall accept and consider public comments on any interim final rule published under this subparagraph for 60 days after the date of such publication.

(h)Compliance (1)Health plan certification (A)Eligibility for a health plan, health claim status, electronic funds transfers, health care payment and remittance advice Not later than December 31, 2013, a health plan shall file a statement with the Secretary, in such form as the Secretary may require, certifying that the data and information systems for such plan are in compliance with any applicable standards (as described under paragraph (7) of section 1320d of this title) and associated operating rules (as described under paragraph (9) of such section) for electronic funds transfers, eligibility for a health plan, health claim status, and health care payment and remittance advice, respectively.

(B)Health claims or equivalent encounter information, enrollment and disenrollment in a health plan, health plan premium payments, health claims attachments, referral certification and authorization Not later than December 31, 2015, a health plan shall file a statement with the Secretary, in such form as the Secretary may require, certifying that the data and information systems for such plan are in compliance with any applicable standards and associated operating rules for health claims or equivalent encounter information, enrollment and disenrollment in a health plan, health plan premium payments, health claims attachments, and referral certification and authorization, respectively. A health plan shall provide the same level of documentation to certify compliance with such transactions as is required to certify compliance with the transactions specified in subparagraph (A).

(2)Documentation of complianceA health plan shall provide the Secretary, in such form as the Secretary may require, with adequate documentation of compliance with the standards and operating rules described under paragraph (1). A health plan shall not be considered to have provided adequate documentation and shall not be certified as being in compliance with such standards, unless the health plan— (A)demonstrates to the Secretary that the plan conducts the electronic transactions specified in paragraph (1) in a manner that fully complies with the regulations of the Secretary; and (B)provides documentation showing that the plan has completed end-to-end testing for such transactions with their partners, such as hospitals and physicians. (3)Service contracts A health plan shall be required to ensure that any entities that provide services pursuant to a contract with such health plan shall comply with any applicable certification and compliance requirements (and provide the Secretary with adequate documentation of such compliance) under this subsection.

(4)Certification by outside entity The Secretary may designate independent, outside entities to certify that a health plan has complied with the requirements under this subsection, provided that the certification standards employed by such entities are in accordance with any standards or operating rules issued by the Secretary.

(5)Compliance with revised standards and operating rules (A)In generalA health plan (including entities described under paragraph (3)) shall file a statement with the Secretary, in such form as the Secretary may require, certifying that the data and information systems for such plan are in compliance with any applicable revised standards and associated operating rules under this subsection for any interim final rule promulgated by the Secretary under subsection (i) that— (i)amends any standard or operating rule described under paragraph (1) of this subsection; or (ii)establishes a standard (as described under subsection (a)(1)(B)) or associated operating rules (as described under subsection (i)(5)) for any other financial and administrative transactions. (B)Date of compliance A health plan shall comply with such requirements not later than the effective date of the applicable standard or operating rule.

(6)Audits of health plans The Secretary shall conduct periodic audits to ensure that health plans (including entities described under paragraph (3)) are in compliance with any standards and operating rules that are described under paragraph (1) or subsection (i)(5).

(i)Review and amendment of standards and operating rules (1)Establishment Not later than January 1, 2014, the Secretary shall establish a review committee (as described under paragraph (4)).

(2)Evaluations and reports (A)Hearings Not later than April 1, 2014, and not less than biennially thereafter, the Secretary, acting through the review committee, shall conduct hearings to evaluate and review the adopted standards and operating rules established under this section.

(B)Report Not later than July 1, 2014, and not less than biennially thereafter, the review committee shall provide recommendations for updating and improving such standards and operating rules. The review committee shall recommend a single set of operating rules per transaction standard and maintain the goal of creating as much uniformity as possible in the implementation of the electronic standards.

(3)Interim final rulemaking (A)In general Any recommendations to amend adopted standards and operating rules that have been approved by the review committee and reported to the Secretary under paragraph (2)(B) shall be adopted by the Secretary through promulgation of an interim final rule not later than 90 days after receipt of the committee’s report.

(B)Public comment (i)Public comment period The Secretary shall accept and consider public comments on any interim final rule published under this paragraph for 60 days after the date of such publication.

(ii)Effective date The effective date of any amendment to existing standards or operating rules that is adopted through an interim final rule published under this paragraph shall be 25 months following the close of such public comment period.

(4)Review committee (A)DefinitionFor the purposes of this subsection, the term “review committee’ means a committee chartered by or within the Department of Health and Human services that has been designated by the Secretary to carry out this subsection, including— (i)the National Committee on Vital and Health Statistics; or (ii)any appropriate committee as determined by the Secretary. (B)Coordination of HIT standards In developing recommendations under this subsection, the review committee shall ensure coordination, as appropriate, with the standards that support the certified electronic health record technology approved by the Office of the National Coordinator for Health Information Technology.

(5)Operating rules for other standards adopted by the Secretary The Secretary shall adopt a single set of operating rules (pursuant to the process described under subsection (g)) for any transaction for which a standard had been adopted pursuant to subsection (a)(1)(B).

(j)Penalties (1)Penalty fee (A)In generalNot later than April 1, 2014, and annually thereafter, the Secretary shall assess a penalty fee (as determined under subparagraph (B)) against a health plan that has failed to meet the requirements under subsection (h) with respect to certification and documentation of compliance with— (i)the standards and associated operating rules described under paragraph (1) of such subsection; and (ii)a standard (as described under subsection (a)(1)(B)) and associated operating rules (as described under subsection (i)(5)) for any other financial and administrative transactions. (B)Fee amount Subject to subparagraphs (C), (D), and (E), the Secretary shall assess a penalty fee against a health plan in the amount of $1 per covered life until certification is complete. The penalty shall be assessed per person covered by the plan for which its data systems for major medical policies are not in compliance and shall be imposed against the health plan for each day that the plan is not in compliance with the requirements under subsection (h).

(C)Additional penalty for misrepresentation A health plan that knowingly provides inaccurate or incomplete information in a statement of certification or documentation of compliance under subsection (h) shall be subject to a penalty fee that is double the amount that would otherwise be imposed under this subsection.

(D)Annual fee increase The amount of the penalty fee imposed under this subsection shall be increased on an annual basis by the annual percentage increase in total national health care expenditures, as determined by the Secretary.

(E)Penalty limitA penalty fee assessed against a health plan under this subsection shall not exceed, on an annual basis— (i)an amount equal to $20 per covered life under such plan; or (ii)an amount equal to $40 per covered life under the plan if such plan has knowingly provided inaccurate or incomplete information (as described under subparagraph (C)). (F)Determination of covered individuals The Secretary shall determine the number of covered lives under a health plan based upon the most recent statements and filings that have been submitted by such plan to the Securities and Exchange Commission.

(2)Notice and dispute procedure The Secretary shall establish a procedure for assessment of penalty fees under this subsection that provides a health plan with reasonable notice and a dispute resolution procedure prior to provision of a notice of assessment by the Secretary of the Treasury (as described under paragraph (4)(B)).

(3)Penalty fee report Not later than May 1, 2014, and annually thereafter, the Secretary shall provide the Secretary of the Treasury with a report identifying those health plans that have been assessed a penalty fee under this subsection.

(4)Collection of penalty fee (A)In general The Secretary of the Treasury, acting through the Financial Management Service, shall administer the collection of penalty fees from health plans that have been identified by the Secretary in the penalty fee report provided under paragraph (3).

(B)Notice Not later than August 1, 2014, and annually thereafter, the Secretary of the Treasury shall provide notice to each health plan that has been assessed a penalty fee by the Secretary under this subsection. Such notice shall include the amount of the penalty fee assessed by the Secretary and the due date for payment of such fee to the Secretary of the Treasury (as described in subparagraph (C)).

(C)Payment due date Payment by a health plan for a penalty fee assessed under this subsection shall be made to the Secretary of the Treasury not later than November 1, 2014, and annually thereafter.

(D)Unpaid penalty feesAny amount of a penalty fee assessed against a health plan under this subsection for which payment has not been made by the due date provided under subparagraph (C) shall be— (i)increased by the interest accrued on such amount, as determined pursuant to the underpayment rate established under section 6621 of the Internal Revenue Code of 1986; and (ii)treated as a past-due, legally enforceable debt owed to a Federal agency for purposes of section 6402(d) of the Internal Revenue Code of 1986. (E)Administrative fees Any fee charged or allocated for collection activities conducted by the Financial Management Service will be passed on to a health plan on a pro-rata basis and added to any penalty fee collected from the plan.

42 U.S. Code § 1320d–3 - Timetables for adoption of standards

(a)Initial standards The Secretary shall carry out section 1320d–2 of this title not later than 18 months after August 21, 1996, except that standards relating to claims attachments shall be adopted not later than 30 months after August 21, 1996.

(b)Additions and modifications to standards (1)In general Except as provided in paragraph (2), the Secretary shall review the standards adopted under section 1320d–2 of this title, and shall adopt modifications to the standards (including additions to the standards), as determined appropriate, but not more frequently than once every 12 months. Any addition or modification to a standard shall be completed in a manner which minimizes the disruption and cost of compliance.

(2)Special rules (A)First 12-month period Except with respect to additions and modifications to code sets under subparagraph (B), the Secretary may not adopt any modification to a standard adopted under this part during the 12-month period beginning on the date the standard is initially adopted, unless the Secretary determines that the modification is necessary in order to permit compliance with the standard.

(B)Additions and modifications to code sets (i)In general The Secretary shall ensure that procedures exist for the routine maintenance, testing, enhancement, and expansion of code sets.

(ii)Additional rules If a code set is modified under this subsection, the modified code set shall include instructions on how data elements of health information that were encoded prior to the modification may be converted or translated so as to preserve the informational value of the data elements that existed before the modification. Any modification to a code set under this subsection shall be implemented in a manner that minimizes the disruption and cost of complying with such modification.

42 U.S. Code § 1320d–4 - Requirements

(a)Conduct of transactions by plans (1)In generalIf a person desires to conduct a transaction referred to in section 1320d–2(a)(1) of this title with a health plan as a standard transaction— (A)the health plan may not refuse to conduct such transaction as a standard transaction; (B)the insurance plan may not delay such transaction, or otherwise adversely affect, or attempt to adversely affect, the person or the transaction on the ground that the transaction is a standard transaction; and (C)the information transmitted and received in connection with the transaction shall be in the form of standard data elements of health information. (2)Satisfaction of requirementsA health plan may satisfy the requirements under paragraph (1) by— (A)directly transmitting and receiving standard data elements of health information; or (B)submitting nonstandard data elements to a health care clearinghouse for processing into standard data elements and transmission by the health care clearinghouse, and receiving standard data elements through the health care clearinghouse. (3)Timetable for compliance Paragraph (1) shall not be construed to require a health plan to comply with any standard, implementation specification, or modification to a standard or specification adopted or established by the Secretary under sections 1320d–1 through 1320d–3 of this title at any time prior to the date on which the plan is required to comply with the standard or specification under subsection (b).

(b)Compliance with standards (1)Initial compliance (A)In general Not later than 24 months after the date on which an initial standard or implementation specification is adopted or established under sections 1320d–1 and 1320d–2 of this title, each person to whom the standard or implementation specification applies shall comply with the standard or specification.

(B)Special rule for small health plans In the case of a small health plan, paragraph (1) shall be applied by substituting “36 months” for “24 months”. For purposes of this subsection, the Secretary shall determine the plans that qualify as small health plans.

(2)Compliance with modified standards If the Secretary adopts a modification to a standard or implementation specification under this part, each person to whom the standard or implementation specification applies shall comply with the modified standard or implementation specification at such time as the Secretary determines appropriate, taking into account the time needed to comply due to the nature and extent of the modification. The time determined appropriate under the preceding sentence may not be earlier than the last day of the 180-day period beginning on the date such modification is adopted. The Secretary may extend the time for compliance for small health plans, if the Secretary determines that such extension is appropriate.

(3)ConstructionNothing in this subsection shall be construed to prohibit any person from complying with a standard or specification by— (A)submitting nonstandard data elements to a health care clearinghouse for processing into standard data elements and transmission by the health care clearinghouse; or (B)receiving standard data elements through a health care clearinghouse.

Identification, Disclosure

(a)Offense A person who knowingly and in violation of this part— (1)uses or causes to be used a unique health identifier; (2)obtains individually identifiable health information relating to an individual; or (3)discloses individually identifiable health information to another person, shall be punished as provided in subsection (b). For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1320d–9(b)(3) of this title) and the individual obtained or disclosed such information without authorization. (b)PenaltiesA person described in subsection (a) shall— (1)be fined not more than $50,000, imprisoned not more than 1 year, or both; (2)if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and (3)if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

42 U.S. Code § 1320d–8.Processing payment transactions by financial institutions

To the extent that an entity is engaged in activities of a financial institution (as defined in section 3401 of title 12), or is engaged in authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments, for a financial institution, this part, and any standard adopted under this part, shall not apply to the entity with respect to such activities, including the following: (1)The use or disclosure of information by the entity for authorizing, processing, clearing, settling, billing, transferring, reconciling or collecting, a payment for, or related to, health plan premiums or health care, where such payment is made by any means, including a credit, debit, or other payment card, an account, check, or electronic funds transfer. (2)The request for, or the use or disclosure of, information by the entity with respect to a payment described in paragraph (1)— (A)for transferring receivables; (B)for auditing; (C)in connection with— (i)a customer dispute; or (ii)an inquiry from, or to, a customer; (D)in a communication to a customer of the entity regarding the customer’s transactions, payment card, account, check, or electronic funds transfer; (E)for reporting to consumer reporting agencies; or (F)for complying with— (i)a civil or criminal subpoena; or (ii)a Federal or State law regulating the entity.

42 U.S. Code § 1320d–9 - Application of HIPAA regulations to genetic information

(a)In general The Secretary shall revise the HIPAA privacy regulation (as defined in subsection (b)) so it is consistent with the following: (1)Genetic information shall be treated as health information described in section 1320d(4)(B) of this title. ^{Medical and Health} "Personal#list" contains a listed "#" character as part of the property label and has therefore been classified as invalid. (2)The use or disclosure by a covered entity that is a group health plan, health insurance issuer that issues health insurance coverage, or issuer of a medicare supplemental policy of protected health information that is genetic information about an individual for underwriting purposes under the group health plan, health insurance coverage, or medicare supplemental policy shall not be a permitted use or disclosure. (b)Definitions For purposes of this section: (1)Genetic information; genetic test; family member The terms “genetic information”, “genetic test”, and “family member” have the meanings given such terms in section 300gg–91 of this title, as amended by the Genetic Information Nondiscrimination Act of 2007.[1]

(2)Group health plan; health insurance coverage; medicare supplemental policy The terms “group health plan” and “health insurance coverage” have the meanings given such terms under section 300gg–91 of this title, and the term “medicare supplemental policy” has the meaning given such term in section 1395ss(g) of this title.

(3)HIPAA privacy regulation The term “HIPAA privacy regulation” means the regulations promulgated by the Secretary under this part and section 264 of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note).

(4)Underwriting purposesThe term “underwriting purposes” means, with respect to a group health plan, health insurance coverage, or a medicare supplemental policy— (A)rules for, or determination of, eligibility (including enrollment and continued eligibility) for, or determination of, benefits under the plan, coverage, or policy; (B)the computation of premium or contribution amounts under the plan, coverage, or policy; (C)the application of any pre-existing condition exclusion under the plan, coverage, or policy; and (D)other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits. (c)Procedure The revisions under subsection (a) shall be made by notice in the Federal Register published not later than 60 days after May 21, 2008, and shall be effective upon publication, without opportunity for any prior public comment, but may be revised, consistent with this section, after opportunity for public comment.

(d)Enforcement In addition to any other sanctions or remedies that may be available under law, a covered entity that is a group health plan, health insurance issuer, or issuer of a medicare supplemental policy and that violates the HIPAA privacy regulation (as revised under subsection (a) or otherwise) with respect to the use or disclosure of genetic information shall be subject to the penalties described in sections 1320d–5 and 1320d–6 of this title in the same manner and to the same extent that such penalties apply to violations of this part.

Disclaimer: The text of this law may not be the most recent version. We make no warranties or representations about the accuracy, completeness, or adequacy of the information contained on this site. Please check official sources.