With our increasingly interconnected world and the rise of identity theft and other similar invasions of privacy, more and more laws and regulations are being enacted to bolster traditional common law and wall off private information from the public. One such body of law is contained in The Health Insurance Portability and Accountability Act. More commonly known as “HIPAA,” this law was passed by Congress in 1996 to set a national standard for electronic transfers of health data. At the same time, Congress saw the need to address growing public concern about privacy and security of personal health data. The task of writing rules on privacy eventually fell to the U.S. Department of Health and Human Services (HHS). After several modifications, DHHS issued the HIPAA Privacy Rule.
HIPAA set a national standard for the privacy of medical records. A state can enact greater privacy rights, but HIPAA sets the minimum that must be followed. Under HIPAA, the patient has a right to their medical records, although the provider can bill for the cost of copying them.
When you first go to a doctor or other medical provider, they should provide you with a notice of privacy practices that give you more information about how your medical information is shared. Including in that is your right to an accounting of disclosure of your health information, how to file a complaint, and how to ask for special confidential communications (for example telephone calls to your home rather than work for communications regarding your health care and treatment).
Exceptions to the protection of HIPAA are information used for your treatment, drug companies who are issuing recalls or warnings of medications, business associates (for example, if your doctor provides your information to an account for medical billing purposes) The health care provider is supposed to have a contract that ensures that the business associate properly handle the information, but is not required to check and supervise.
The patient can also authorize the health care provider release the information to a third-party. I usually run into this exception when dealing with personal injury and medical malpractice lawsuits. Most people understand that if they are trying to recover for medical bills and injury, they have to show their medical records and bills to the jury. However, the plaintiff is required to turn over medical information before a trial to a defendant if he asks for it in discovery, even for past medical records, if it could possibly lead to discoverable evidence. One common defense is that the injury the plaintiff complains of did not occur due to the defendant’s negligence, but rather, due to a pre-existing condition. Therefore, evidence of a plaintiff’s pre-existing medical condition, including her past medical records, is discoverable. This is thought of as a voluntary disclosure since a plaintiff is not required to file a lawsuit.
If a medical provider releases your information in violation of HIPAA, you can not file a lawsuit. There is no “private right of action” with HIPAA. What you can do, is first complain to the medical provider’s privacy officer. If you are not satisfied, you can file a complaint with the U.S. Department of Health and Human Services. You have 180 days to file such a complaint although the HHS can extend it at need. The HHS can levy fines against the health care provider, but you won’t get the money like you would in a private right of action lawsuit.
While some states may have additional privacy rights that would be actionable in a civil lawsuit (and therefore an aggrieved plaintiff could recover damages), North Carolina is not one of them. However, in North Carolina, a HIPAA violation can be used as the basis for the tort of Negligent Infliction of Emotional Distress. This means that the plaintiff can file a suit and recover damages. However, an NIED suit would have to show more than just a violation of HIPAA. The plaintiff would have to show “severe emotional distress” which North Carolina courts have held to be a diagnosable condition. If the disclosure of your private health records didn’t cause you to have psychiatric or other counseling, then you probably won’t have a case. In addition, the suit would fall under the more strict medical malpractice rules so there will be additional hoops to jump through, including finding an expert in the same specialty to testify as to why the HIPAA violation was a breach of the standard of care.
--Bradley A. Coxe is a practicing attorney in Wilmington, NC who specializes in Personal Injury, Medical Malpractice, Contract and Real Estate disputes and all forms of Civil Litigation. Please contact him at (910) 772-1678.
The law provides the injured party with the opportunity to recover financial compensation if he or she can demonstrate, ‘on the balance of probabilities’, that the medical treatment received was administered negligently by the Doctor or relevant healthcare professionals and in turn that this negligence caused, in whole or in part, the injury or illness.
Posted by: Doctor Negligence | January 24, 2011 at 02:18 AM
Drug store employee announced my personal information and then turned the computer monitor so that others were able to see my information. My daughter's health information is now public knowledge throughout the town in which we live. I had no idea my daughter had a health issue until the drug store employee shared it with me and others. There was no discretion on her part. Our complaint to the Drug Store has fallen on deaf ears. How do we proceed?
Posted by: consuelastephens@yahoo.com | October 27, 2014 at 01:35 PM
File a complaint with U.S. Dep. Of Health.
Posted by: Bradley Coxe | October 30, 2014 at 02:22 PM
As a HIPAA consultant for years, protecting PHI has become such a challenge. I would add that not only are policies and procedures important, but to really ensure the safety and security of PHI, then both Covered Entities and Business Associates should do three (3) primary things. 1. Put in place all necessary HIPAA policies and procedures. (2). Strictly enforce annual security awareness training for all employees and workforce members and (3). Build a network that has comprehensive elements of layered security and defense-in-depth within it. Call the 3 point triangle for HIPAA success, which is relatively straightforward, yet many CE’s and BA’s simply fail to grasp the importance of such initiatives. Remember that HHS | OCR has announced even more annual HIPAA compliance audits, so be ready.
Posted by: Heather McFarland | December 04, 2014 at 09:48 AM