Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Penalties


Comment: Many commenters considered the statutory penalties insufficient to protect privacy, stating that the civil penalties are too weak to have the impact needed to reduce the risk of inappropriate disclosure. Some commenters took the opposing view and stated that large fines and prison sentences for violations would discourage physicians from transmitting any sort of health care information to any other agency, regardless of the medical necessity. Another comment expressed the concern that doctors will be at risk of going to jail for protecting the privacy of individuals (by not disclosing information the government believes should be released).

Response: The enforcement regulation will address the application of the civil monetary and criminal penalties under HIPAA. The regulation will be published in the Federal Register as a proposed regulation and the public will have an opportunity to comment. We do not believe that our rule, and the penalties available under it, will discourage physicians and other providers from using or disclosing necessary information. We believe that the rule permits physicians to make the disclosures that they need to make under the health care system without exposing themselves to jeopardy under the rule. We believe that the penalties under the statute are woefully inadequate. We support legislation that would increase the amount of these penalties.

Comment: A number of commenters stated that the regulations should permit individuals to sue for damages caused by breaches of privacy under these regulations. Some of these commenters specified that damages, equitable relief, attorneys fees, and punitive damages should be available. Conversely, one comment stated that strong penalties are necessary and would preclude the need for a private right of action. Another commenter stated that he does not believe that the statute intended to give individuals the equivalent of a right to sue, which results from making individuals third party beneficiaries to contracts between business partners.

Response: We do not have the authority to provide a private right of action by regulation. As discussed below, the final rule deletes the third party beneficiary provision that was in the proposed rule.

However, we believe that, in addition to strong civil monetary penalties, federal law should allow any individual whose rights have been violated to bring an action for actual damages and equitable relief. The Secretary's Recommendations, which were submitted to Congress on September 11, 1997, called for a private right of action to permit individuals to enforce their privacy rights.

Comment: One comment stated that, in calculating civil monetary penalties, the criteria should include aggravating or mitigating circumstances and whether the violation is a minor or first time violation. Several comments stated that penalties should be tiered so that those that commit the most egregious violations face stricter civil monetary penalties.

Response: As mentioned above, issues regarding civil fines and criminal penalties will be addressed in the enforcement regulation.

Comment: One comment stated that the regulation should clarify whether a single disclosure that involved the health information of multiple parties would constitute a single or multiple infractions, for the purpose of calculating the penalty amount.

Response: The enforcement regulation will address the calculation of penalties. However, we note that section 1176 subjects persons to civil monetary penalties of not more than $100 for each violation of a requirement or prohibition and not more than $25,000 in a calendar year for all violations of an identical requirement or prohibition. For example, if a covered entity fails to permit amendment of protected health information for 10 patients in one calendar year, the entity may be fined up to $1000 ($100 times 10 violations equals $1000).