Section 1172 (a) of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (Public Law 104-191) makes some cities responsible for maintaining and transmitting health information in accordance with reasonable and appropriate administrative, technical, and physical safeguards:
- To ensure the integrity and confidentiality of the information;
- To protect against any reasonably anticipated:
- Threats or hazards to the security or integrity of the information,
- Unauthorized uses or disclosure of the information, and
- Otherwise to ensure compliance with this part (Section 1172 (a)) by the officers and employees of the city.
The act requires a covered entity to consider:
- Its size, complexity, and capabilities,
- Its technical, hardware, and software infrastructure,
- The costs of security measures, and
- The likelihood and possible impact of potential risks to e-PHI.
The act provides that a person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA faces a fine of $50,000 and up to one year of imprisonment. Penalties may increase up to $100,000 and up to five years imprisonment, depending on the circumstances.
Maintaining personnel records in a central location under the custodianship of a trained records keeper is the best insurance for the city and its employees to comply with HIPAA and to significantly reduce or avoid liability.
For a summary of HIPAA security information of key elements of the Security Rule including who is covered, what information is protected, and what safeguards must be in place to ensure appropriate protection of electronic protected health information, see the Department of Health and Human Services
On January 25, 2013, the Department of Health and Human Services issued a final rule modifying HIPAA’s Privacy, Security, and Enforcement Rules to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (‘‘the HITECH Act”) which merits review.