Welcome to Sixty Seconds of Privacy, an e-newsletter brought to you by the Privacy and Data Security practice group at Thelen Reid Brown Raysman & Steiner LLP.

Each edition of this e-newsletter addresses one interesting legal development in the area of privacy and data security, in a brief "question and answer" format. Each edition is intended to be read in about a minute, yet will update you on an important development. We pick the topics for this e-newsletter based on what our clients are concerned about. You are welcome to submit your questions or suggestions to us, and you may find your sixty second answer in an upcoming edition.

Question: Although HIPAA requires health plans and health care providers to implement privacy and security policies and procedures, this is expensive and I have heard that there is little actual enforcement of the HIPAA rules. What are the risks of noncompliance?

For this question, we called on Tonie Bitseff, an attorney in our Tax, Benefits, Trusts, and Estates department, who specializes in, among other things, HIPAA privacy issues.

Answer: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established national privacy and security standards for covered entities such as health care providers and health plans. Although the health industry has devoted substantial resources towards achieving compliance over the last few years, enforcement has been largely limited. This trend is turning as new developments suggest increased enforcement and liability risks.

On February 16, 2006, the Department of Health and Human Services adopted a final rule on monetary penalties under HIPAA. This consolidated enforcement rule became effective March 12, 2006, giving real 'bite' to enforcement efforts and a real incentive to correct lingering noncompliance issues.

In December of 2006, a North Carolina Court of Appeals case highlighted another strong incentive for HIPAA compliance. Although a private litigant has no private right of action under HIPAA, in Acosta v. Byrum, 638 S.E.2d 246 (N.C.App.) (December 19, 2006) the court found that a violation of duties owed under HIPAA constituted a negligent act. This means that private litigants can bring negligence actions based on a HIPAA violation even though they cannot directly recover for the HIPAA violation itself.

Finally, on January 24, 2007, the first HIPAA case to go to trial ended in a conviction of a former Cleveland Clinic employee. One of the eight counts was wrongful disclosure of individually identifiable health information.

Criminal penalties, civil penalties, and private lawsuits are three compelling reasons for tightening HIPAA privacy and security compliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.