What is HIPAA?

HIPAA stands for the Healthcare Insurance Portability and Accountability Act. President Clinton signed it into law in August 1996. The Act was intended to “improve the portability and accountability of health insurance coverage” for employees moving from one job to another. The Act also included provisions to make the administration of health insurance simpler, and encouraging health plans and medical providers to convert their records into electronic formats.

In the years since the passage of HIPAA the U. S. Department of Health and Human Services has written regulations intended to govern the privacy and security of electronic health information, and to enforce the regulations against health plans or medical providers who violate the rules.

To whom does HIPAA apply?

HIPAA privacy and security regulations apply to health plans, most health care providers, and health care clearinghouses. Health plans include health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid. Covered health care providers include those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists. Health care clearinghouses are entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa. HIPAA also applies to business associates of these entities.

HIPAA is not intended to cover any other entities. Thus HIPAA doesn’t cover law enforcement agencies, many state and municipal agencies, worker’s compensation insurers, employers, schools, or school districts, among others.

What does HIPAA do?

HIPAA protects information that your doctors, nurses, or other health care providers place into your records, your conversations with your medical providers about your health, your billing records at your doctor’s office, and your information in your health insurance company’s computer system, and most other health information held by a covered entity.

What are your rights under HIPAA?

HIPAA grants every patient of a covered medical provider the right to see your protected health information, to correct if it is wrong, to receive a notice of how your medical provider uses and discloses your health information, to get a report from a covered entity about how your health information was used or disclosed, and where you can make a complaint if you feel your information was shared improperly.

When can your medical information be shared?

Your information can be used and shared for your treatment and care coordination, to pay doctors and hospitals for your health care, to help run their businesses, to keep your designated family and friends who are involved with your health care or your bills informed about your treatment, to make sure doctors give good care, and nursing homes are clean and safe, to protect the public’s health, such as by reporting to regulatory authorities, and to make required reports to the police, such as reporting gunshot wounds or child abuse.

Your health information cannot be used or shared without your written permission unless this law allows it. For example, without your authorization, your provider generally cannot give your information to your employer, or use or share your information for research, marketing or advertising purposes, or sell your information. Medical providers and health plans can also release information, without your permission, pursuant to a court order, a properly issued search warrant, and under certain circumstances pursuant to a subpoena. They can also release information to medical and insurance regulatory authorities.

What happens if a covered entity is breached or violates your privacy?

If your information is breached, then the responsible entity is required to notify you about the breach and identify what information was disclosed, give you information about who to contact to learn more, identify how the covered entity is investigating the breach, and identify what you ought to do to protect yourself.

If a covered entity violates the privacy or security regulations, they can be subject to civil penalties or even criminal prosecution for repeated violations. These penalties can be quite harsh. In February 2017, Memorial Healthcare System, a nonprofit that operates six hospitals, an urgent care center, a nursing home, and a variety of health care facilities in the South Florida area, paid the U.S. Department of Health and Human Services $5.5 million to settle potential violations of the HIPAA Privacy and Security Rules and agreed to implement a corrective action plan.

You have the right to report a breach or violation of your medical privacy to the Office of Civil Rights at the Department of Health and Human Services. They can take action against the medical provider or health plan to fine them civilly or prosecute them criminally under some circumstances.

What recourse do you have if your medical privacy is breached?

You may have a variety of remedies available under state or federal law depending on the type of medical provider, the type of information, and the circumstances under which it was released. These can range from administrative complaints to state licensing boards to lawsuits to against the medical provider for negligence, invasion of privacy, breach of a fiduciary duty, or breach of contract, just to name a few.

In some cases, state Attorneys General have filed lawsuits to collect civil penalties from covered entities, and to distribute those funds to the victims.

Although HIPAA does not permit private parties to file civil actions for damages, a small, and growing, number of states have allowed negligence claims under state law to proceed against covered entities for violations of medical privacy, on the theory that the HIPAA Privacy and Security rules define the industry standard of care for the protection of medical information. While no case in Georgia has yet presented this issue, Georgia has permitted state law negligence claims arising out of the violation of federal employment safety regulations for decades. It’s likely that when the Georgia appellate courts are presented with that issue, they will join the growing number of state appellate courts allowing state law negligence claims arising out of HIPAA violations.

What to Do If You Believe Your Medical Privacy Has Been Violated

If you believe your doctor or a hospital has violated your medical privacy rights, but you don’t know what to do, there is good news.  There are simple steps you can take to begin addressing the violation of your medical privacy rights.

First, you may want to file a complaint with Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS). This is the U.S. government agency responsible for investigating HIPAA violations and enforcing HIPAA regulations. You can read about the complaint process here. And you can file a complaint online with the Office of Civil rights here. Be aware that there is a time limit of 180 days from the date your medical privacy was breached, after 180 days have passed OCR has no obligation to investigate. If more than 180 days has passed, you may still want to file the complaint anyway; even though OCR has no legal obligation to investigate a complaint made after the deadline, a complaint places OCR on notice of a potential HIPAA violation that it can take into consideration if there are future violations by the same medical provider. Keep a copy of the complaint for your records and for an attorney, should you hire one. You will be contacted by OCR and notified that their investigation has begun and then you will be notified when the investigation is complete. Once the investigation has been completed, you will know if OCR found that a violation has occurred and what action they have taken against that medical provider.

Second, you should write out your complaint in a letter or an email and send it to the medical provider or hospital that violated your HIPAA or medical privacy rights. By law, every medical provider who must comply with HIPAA’s protected health information regulations must designate a person or office responsible for receiving HIPAA and medical privacy violation complaints. The identity of the privacy officer and the contact information for a privacy complaint can be found in the Notice of Privacy practices posted on the provider’s website. Once a medical provider is notified of a complaint, it must investigate, and notify HHS, any affected individuals whose privacy may have been breached, and sometimes the media. This is required by something called the Breach Notification Rule. Keep copies of any complaints you write, any emails you send or receive related to the complaints, and any letters or documents you may receive from any entity regarding their investigations.

Before you contact a lawyer, take these two steps and you are well on your way to protecting your rights. Your actions can prevent violations like this from happening to you and other people in the future.

If you believe that your medical privacy or HIPAA rights have been violated then call us at 912-401-0121, or contact us here.