As health care providers, patients, family members, friends, and disaster relief agencies such as the American Red Cross continue to grapple with the aftermath of Hurricane Sandy it is important to be mindful of privacy regulations and to prepare in advance for the next emergency. The Health Insurance Portability and Accountability Act  of 1996 (“HIPAA” or “Privacy Rule”) protects individually identifiable health information held by “covered entities.” The information protected is referred to as protected health information or PHI. The Privacy Rule permits covered entities to disclose PHI for a variety of purposes including to (a) treat patients; (b) identify, locate and notify family members, guardians, or anyone else responsible for an individual’s care; (c) obtain the services of disaster relief agencies; (d) conduct public health activities; and (e) prevent or lessen serious and imminent threats to health or safety.

On July 15, 2008, the U.S. Department of Health & Human Services (“HHS”) entered into its first Resolution Agreement with a HIPAA-covered entity to settle alleged violations of the privacy and security regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Pursuant to the Resolution Agreement, a Seattle-based not-for-profit health system, Providence Health & Services and certain of its divisions (“Providence”), paid $100,000 to HHS and entered into a Corrective Action Plan with the government. HHS advised that Providence’s cooperation in the investigation helped it avoid a “civil monetary penalty.” Providence has been released from further civil fines to HHS arising out of the particular activities at issue in this matter, provided that Providence complies with the terms of the three-year Corrective Action Plan. The Resolution Agreement did not release Providence from any potential criminal liability.

Prior to this Resolution Agreement, HHS had not imposed any fines on any HIPAA-covered entities. In the more than five years that have passed since the compliance deadline for the HIPAA privacy regulations, HHS has received close to 40,000 complaints of violations, the majority of which were not eligible for enforcement. Of those where a violation was identified, HHS had previously resolved such cases by requiring changes in privacy practices and other corrective actions without entering into any formal settlement agreements or imposing any fines.

Proskauer on Privacy will never be confused with TMZ, but we would be remiss if we failed to report on the high profile privacy scandal unfolding in the backyard of our Los Angeles office. As we previously reported, California’s data breach notification law was amended effective January 1, 2008, to include breaches of medical and health insurance information. A number of recent incidents illustrate once again that it is not enough to have written policies and procedures in place for the handling of sensitive information – employee training is essential.