What is HIPAA?

HIPAA stands for the Healthcare Insurance Portability and Accountability Act. President Clinton signed it into law in August 1996. The Act was intended to “improve the portability and accountability of health insurance coverage” for employees moving from one job to another. The Act also included provisions to make the administration of health insurance simpler, and encouraging health plans and medical providers to convert their records into electronic formats.

In the years since the passage of HIPAA the U. S. Department of Health and Human Services has written regulations intended to govern the privacy and security of electronic health information, and to enforce the regulations against health plans or medical providers who violate the rules.

To whom does HIPAA apply?

HIPAA privacy and security regulations apply to health plans, most health care providers, and health care clearinghouses. Health plans include health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid. Covered health care providers include those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists. Health care clearinghouses are entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa. HIPAA also applies to business associates of these entities.

HIPAA is not intended to cover any other entities. Thus HIPAA doesn’t cover law enforcement agencies, many state and municipal agencies, worker’s compensation insurers, employers, schools, or school districts, among others.

What does HIPAA do?

HIPAA protects information that your doctors, nurses, or other health care providers place into your records, your conversations with your medical providers about your health, your billing records at your doctor’s office, and your information in your health insurance company’s computer system, and most other health information held by a covered entity.

What are your rights under HIPAA?

HIPAA grants every patient of a covered medical provider the right to see your protected health information, to correct if it is wrong, to receive a notice of how your medical provider uses and discloses your health information, to get a report from a covered entity about how your health information was used or disclosed, and where you can make a complaint if you feel your information was shared improperly.

When can your medical information be shared?

Your information can be used and shared for your treatment and care coordination, to pay doctors and hospitals for your health care, to help run their businesses, to keep your designated family and friends who are involved with your health care or your bills informed about your treatment, to make sure doctors give good care, and nursing homes are clean and safe, to protect the public’s health, such as by reporting to regulatory authorities, and to make required reports to the police, such as reporting gunshot wounds or child abuse.

Your health information cannot be used or shared without your written permission unless this law allows it. For example, without your authorization, your provider generally cannot give your information to your employer, or use or share your information for research, marketing or advertising purposes, or sell your information. Medical providers and health plans can also release information, without your permission, pursuant to a court order, a properly issued search warrant, and under certain circumstances pursuant to a subpoena. They can also release information to medical and insurance regulatory authorities.

What happens if a covered entity is breached or violates your privacy?

If your information is breached, then the responsible entity is required to notify you about the breach and identify what information was disclosed, give you information about who to contact to learn more, identify how the covered entity is investigating the breach, and identify what you ought to do to protect yourself.

If a covered entity violates the privacy or security regulations, they can be subject to civil penalties or even criminal prosecution for repeated violations. These penalties can be quite harsh. In February 2017, Memorial Healthcare System, a nonprofit that operates six hospitals, an urgent care center, a nursing home, and a variety of health care facilities in the South Florida area, paid the U.S. Department of Health and Human Services $5.5 million to settle potential violations of the HIPAA Privacy and Security Rules and agreed to implement a corrective action plan.

You have the right to report a breach or violation of your medical privacy to the Office of Civil Rights at the Department of Health and Human Services. They can take action against the medical provider or health plan to fine them civilly or prosecute them criminally under some circumstances.

What recourse do you have if your medical privacy is breached?

You may have a variety of remedies available under state or federal law depending on the type of medical provider, the type of information, and the circumstances under which it was released. These can range from administrative complaints to state licensing boards to lawsuits to against the medical provider for negligence, invasion of privacy, breach of a fiduciary duty, or breach of contract, just to name a few.

In some cases, state Attorneys General have filed lawsuits to collect civil penalties from covered entities, and to distribute those funds to the victims.

Although HIPAA does not permit private parties to file civil actions for damages, a small, and growing, number of states have allowed negligence claims under state law to proceed against covered entities for violations of medical privacy, on the theory that the HIPAA Privacy and Security rules define the industry standard of care for the protection of medical information. While no case in Georgia has yet presented this issue, Georgia has permitted state law negligence claims arising out of the violation of federal employment safety regulations for decades. It’s likely that when the Georgia appellate courts are presented with that issue, they will join the growing number of state appellate courts allowing state law negligence claims arising out of HIPAA violations.

If you know of a violation of your right to medical privacy call The Bowman Law Office at 912-401-0121.