[ Tuesday, October 21, 2003 ]
Sometimes you'll hear HIPPAcrats talk about "the other HIPAA," which refers to the portions of HIPAA other than the "administrative simplification" subtitle that deals with transactions and code sets, privacy, and security. Most of the time, a reference to "the other HIPAA" refers to the portability portion of HIPAA (the "P" in HIPAA), and the manner in which an individual can get insurance from a new employer if they can prove they had insurance from a prior employer, subject to certain time-frames.
However, sometimes the reference is to one of the many other provisions of HIPAA. Remember, HIPAA is a big, gnarly statute with lots and lots of tentacles. There's the "admin-simp" or "ad-si" portion I usually talk about. There's a portion of HIPAA authorizing an extension of the medical savings account experiment. And there's a portion that applies new standards and penalties for healthcare fraud.
On the AHLA listserv for HIPAA, there's been an active discussion of the applicability of criminal penalties under HIPAA. Do they apply to individuals (just "man on the street exposing HIPAA")? Do they apply to individuals who are not covered entities? What if the individual isn't a covered entity, but works for a company that is (like a nurse in a doctor's office who calls the newspaper with information on a patient)? What if the individual could be a covered entity but isn't by definition, but does not conduct electronic transactions and therefore isn't (a physician working for a practice that is a covered entity, but the physician never submits bills himself; his charges are billed by the group practice)?
While the debate will continue for the "ad-si" HIPAA crowd, there is some conclusion with regard to "the other HIPAA." The US Second Circuit court of appeals has affirmed
that the anti-fraud provisions of HIPAA apply to individuals, even if those individuals are not covered entities and are committing a fraud on insurers that are not covered entities under the ad-si portion of HIPAA. In US v. Lucien
, the defendants defrauded no-fault auto insurers by staging fake car accidents and collecting the insurance money for physical damages. Neither the scammers nor the auto insurance companies are "covered entities" under ad-si, but the language in "the other HIPAA" relating to fraud is more widely drafted to allow the prosecution of whoever defrauds any health care benefit program. Even though the auto insurers don't meet the ad-si definition of health care benefit program, they do meet the more openly-defined term in "the other HIPAA."
While it's not dispositive, this could aid the argument that HIPAA criminal penalties should apply to individuals.
Jeff [9:26 AM]
Blogger: HIPAA Blog - Edit your Template