HIPAA - Health Insurance Portability and Accountability Act of 1996

Federal Laws Affecting Certified Nurse-Midwifery

When reading this article, you may be tempted to skip it altogether, and I can relate to your motivation. Anyone who has practiced or been employed in healthcare since 2003 has been thoroughly indoctrinated in HIPAA and its significance. Whether as a patient or a provider, HIPAA blurs our vision with its complex legislative requirements and potential penalties if we falter. Without delving too deeply into its complexities or inducing catatonia, the basics of HIPAA do deserve review to remind us of the importance of this legislation and its relevance to midwifery practice.

Rojan Maharjan

HIPAA and Midwifery Practice

Close your eyes and repeat after me: “The federal law that controls privacy and security of our protected health information is codified in HIPAA.” Most of us are unaware that the original purpose of the Statute was to set standards for the transmission of electronic health data and to allow ordinary people to continue their health insurance after changing or losing their jobs.

Before 2003, there were no privacy standards for an individual’s health information under HIPAA. Any protections that existed could be found in State laws. To give it a little more teeth, the Department of Health and Human Services issued three rules: 1. The HIPAA Privacy Rule. 2. The HIPAA Security Rule. 3. The HIPAA Enforcement Rule. The Privacy Rule is the one we are most familiar with. It grants covered entities individual rights regarding personal and private health information (PHI). The Security Rule establishes national standards to protect individuals’ health information. It requires administrative, physical, and technical safeguards to protect electronic health information. Enforcement addresses compliance, investigations, and the crafting of suitable penalties for wrongdoers.

CNMs/CMs are NOT Covered Entities . . .?

In regard to being a “covered entity” under HIPAA, it is important for you to determine whether or not you are one. Under HIPAA, a CE (covered entity) is defined as a health plan, healthcare clearinghouse, or healthcare provider, “as long as that provider transmits health information in electronic form in connection with a transaction, such as authorizations for treatment, etc.” Healthcare providers who are paid to provide healthcare, such as doctors, dentists, hospitals, nursing homes, pharmacies, urgent care clinics, and others who provide healthcare in exchange for payment, are considered covered entities. However, the statute is silent regarding advanced practice clinicians who may run their own clinics and receive payment.

A reasonable interpretation would be that independent nurse-midwives fall within the definition of health care providers who are paid to provide care. Following this reasoning, birth centers would also be considered as covered entities, similar to urgent care clinics.

Individual health care providers must comply with HIPAA only if they transmit health information electronically in connection with covered transactions. Most providers transmit information electronically to perform functions such as processing claims and receiving payments (coding). Therefore, most providers are covered under HIPAA[1]

Independent Nurse-Midwives and HIPAA

What about certified nurse-midwives who are hospital employees? They are NOT considered covered entities under HIPAA, but they may still be fined for violating the rules. The Office of Civil Rights may impose a penalty of $100.00 per violation of the statute when an employee was unaware she was violating HIPAA rules, up to a maximum of $25,000.00 for repeat violators. In cases of reasonable cause, fines can reach $ 1,000.00 per violation, with a maximum of $100,000.00 for repeat violators. If the violation is considered willful neglect, the fine is $10,000.00 up to $250,000.00 for repeat violators.

Larry Farr

Willful neglect with no correction carries a $60,000.00 penalty per violation, up to $1,500,000.00 for repeat violators. HIPAA is no joke.

Penalties and HIPAA

In conjunction with criminal charges, penalties can also be filed when HIPAA rules are violated under false pretenses, acquiring stolen health information with the intent to sell it, or other mayhem involving intent to inflict malicious harm. Chances are that any CNM/CM privacy violations under HIPAA would be unintentional and rapidly corrected. Research has shown that it is quite difficult to face penalties for unintentional, minor violations. As a certified nurse-midwife, there is always a minute chance of a money penalty, but a future crocheting ponchos in federal prison is unlikely.

Is HIPAA Even Relevant to CNM Practice?

HIPAA is relevant to your practice. If you have not thoroughly memorized all the possible ways to violate HIPAA, there is a compliance officer at your institution who can answer any questions regarding violations.

We all know the nurses-gossiping-in-the-elevator stories. One thing to remember is: if you are talking about a patient in the elevator, bathroom, break room, or other public place, and in the course of the discussion, you drop random patient demographics, you are in violation. The patient's name is not required in this instance. Details that may lead to a patient’s identity are all that is required to violate the statute. This applies to in-person, written, and electronic/cell phone communications as well.

One last bit of information regarding HIPAA: There is no private cause of action under the Statute. This means that an individual cannot personally sue a covered entity under HIPAA. If your own private health information is illegally accessed and exploited, you do not have personal recourse other than some satisfaction that the violator will be fined or jailed. All money collected for HIPAA violations is remitted directly to the United States Treasury.

1. Health Privacy: HIPAA Basics. Privacy Rights Clearinghouse. https://privacy rights.org/consumer-guides/health-privacy-hipaa-basics.

http://www.midwivesontrial.com