I am asked that question almost weekly. While the answer has traditionally been “no,” the legal landscape is shifting and the risk of being sued continues to increase.
Let’s first start with some background. As some of you may know, HIPAA does not include a “private right of action.” This means that an individual may not file a claim against a covered entity or a business associate in order to enforce HIPAA or seek damages in response to a HIPAA violation. For example, a patient is not able to sue a dentist if the dentist fails to distribute a Notice of Privacy Practices or enter into a business associate agreement. The sole remedy of an aggrieved individual is to file a complaint with the United States Department of Health and Human Services Office for Civil Rights (“OCR”) or, more recently, with a state Attorney General. In addition, in some states, individuals have been able to file complaints regarding generalized privacy concerns with various state regulatory agencies, such as a state health or consumer protection department. With respect to OCR, notification of the right to file a complaint and the process for doing so is generally set forth in a covered entity’s Notice of Privacy Practices.
Since HIPAA was enacted, the lack of a private right of action has provided solace to covered entities and business associates, particularly since complaints tend to be few in number. Moreover, OCR investigations of complaints have often resulted in compliance agreements and consent orders, rather than court actions or civil damages, both of which would require the covered entity or business associate to expend considerable sums on attorney fees, court costs and payment of damages.
While there is no hint at this time that Congress is contemplating including a private right of action in HIPAA (i.e. allowing individuals to sue to enforce HIPAA), aggrieved patients and their counsel have been finding other ways to file claims for HIPAA violations and use HIPAA violations as the basis for seeking monetary damages. For example, in some states, patients have filed suit against health care providers on the grounds of negligence – claiming that the provider was negligent when violating HIPAA and thus must be held liable for damages. A recent example from Connecticut illustrates the way these lawsuits operate:
A physician received a subpoena for medical records. The physician supplied the medical records as requested by the subpoena; however, the subpoena did not comply with HIPAA. The subject of the medical records sued, alleging that HIPAA creates a “standard of care” for all health care providers and that the failure of the physician to adhere to that standard of care was “negligent.” The physician sought to block the suit but the Connecticut Supreme Court allowed it to continue. As of this date, the lawsuit is making its way through the Connecticut state courts. In addition, lawsuits are currently being prepared and filed in response to the recent Anthem breach and many will be claiming negligence or violation of various state privacy or insurance regulations.
These types of lawsuits would have been unheard of even just a few years ago. However, while still not widespread or common, the emergence of these suits poses significant risk management and liability concerns for any health care provider, health insurance company or vendor subject to HIPAA. The risk of a lawsuit is most pertinent to HIPAA violations which may cause financial, reputational or other harm to a party. Hypothetical examples, based upon real life incidents, include:
- Inappropriate disclosure of medical records in response to a subpoena, which causes a former patient to lose custody of her children.
- Inappropriate disclosure of a child’s medical record to an estranged parent after the health care provider failed to verify the estranged parent’s authority to access records, which leads to the estranged parent to discover where the child now resides.
- Inappropriate use of medical records by hospital staff as part of a “hot or not” game which causes severe embarrassment and distress to certain patients. A negligent attorney and an angry patient could potentially make a claim based upon any of the above and may seek a significant financial settlement or payout.
In light of the potential for such lawsuits and the significant damages that may be awarded, covered entities and business associates should consider reviewing their HIPAA compliance programs to identify weaknesses and institute safeguards and protocols to reduce the likelihood of inappropriate disclosures that may lead to a patient filing suit. Such safeguards may include, based upon the above examples, a subpoena review checklist, verification procedures, a reliable reporting protocol or other procedures to allow the entity or its staff to verify that information is being used and disclosed appropriately.
Related:
The Reality of HIPAA Violations and Enforcement
HIPAA Final Rule: Enforcement: Four Penalty Tiers
HIPAA Final Rule: Enforcement: Willful Neglect
BCBST Pays $1.5 Million to HHS to Settle Potential HIPAA Privacy and Security Violations
Information Access Management: Isolating Healthcare Clearinghouse Functions-What to Do and How to Do It
Is it a HIPAA violation if a lockbox provider of services to multiple entities posts a payment to the wrong client, which results in the check being posted to the wrong provider’s file? Then, the wrong provider sees name and address information. All three entities are bound by HIPAA, (the lockbox provider, the wrong provider and the right provider). No private person ever sees the wrong information.
Thank you for the comment. It appears that the situation you described would be a violation of HIPAA; however, it may or may not be a “breach” requiring notification to the affected individual or the Office for Civil Rights.
Not all violations of HIPAA amount to a breach, and even the inadvertent disclosure of patient information to the wrong party (such as in your question) may not be a breach if there is a low probability that the information has been “compromised.” When faced with a possible breach such as this, you should consider the circumstances (e.g. how sensitive was the disclosed information? how trustworthy was the wrong recipient? did the wrong recipient certify she/he shredded/deleted the information?). Here, while it is helpful that the wrong recipient was also governed by HIPAA and thus has an obligation to maintain patient privacy, you should also consider any other risks present, such as the number of people who may have seen the information, the length of time the wrong recipient had the information, or whether the wrong recipient re-disclosed it. After considering all of the facts, you can make a good faith determination regarding whether a breach occurred.
Hope this helps. Feel free to reach out if you would like to discuss further.
Can a safety manager keep copies of medical evaluations for PPE fit testing?
Ian – It depends on whether the evaluations are subject to HIPAA. Many fitness testing documents are considered employment records – if that is the case at your organization, then you must look to state laws governing personnel/HR files for guidance.
I was a patient in a inpatient treatment program and a staff member left my entire file out in a public place. There was 50 plus patients that could have saw all of my personal info. While nothing that I know of yet has been breached, my ss number, my address, checking account, routing number, name of bank, and diagnosis was made public. Is there anything I can do to make sure they are held accountable for what they did?
Patients concerned about the privacy and security of health information maintained by health care providers may contact the Office for Civil Rights (http://www.hhs.gov/ocr/privacy/hipaa/complaints/) or their state Attorney General’s office.
Long story short my doctor called my employer and gave medical information. Including referral info, diagnosis, and even the doctors personal opinion of what a specialist may or may not do or suggest be done. My employer took this info and found me no longer suitable for my position and fired me 3 days later. Did my doctor violate HIPPA by without my permission calling my employer and giving personal medical information…I’ll add my employer was telling me things about the doctors opinion from my appointment that he didn’t even share with me?!?!
Thank you for your comment. Generally, a physician or other health care provider may not disclose a patient’s health care information to an employer unless the patient signed an authorization permitting such disclosure. Note that in unusual cases, a health care provider may be required to disclose information if required by law (such as part of an investigation) or in response to a subpoena. If you would like to discuss this further, please feel free to contact me directly.
I have a patient who is asking a lot of questions regarding HIPPAA. It seems as if he had been to another doctors office and had 2 different family members in the room with him when the doctor came in. the doctor immediately began talking about the patient’s medical condition that the patient apparently did not want shared with the family members. he wants to know if this is breaking HIPPAA and if so, what should be done about it. thanks for your time!
Leanna,
Based upon the information you provided to me, it is very unlikely that the physician violated HIPAA. A physician may disclose information to family members if he or she reasonably believes that such family members are involved in the patient’s care or treatment. Such an inference was likely reasonable in this instances because the patient brought the family members into the room. Hope this helps. Bill
Subject: Filing a Health Information Privacy Complaint
Below is a letter written to Tim Beauch, in the Grievance Department.
Note: Received no reply/response back regarding this complaint. Please see attached letter from doctor regarding Hippa Violation.
I was called into manager office to discuss my “call offs”; which both manager and supervisor stated that they were understanding of due to my health issues. During said meeting, I remember that no one had contacted me regarding my work release that was not given to me until after my surgery. I was forced to be back to work prior to release date from my doctor; although I did not have a work release and manager was informed by me and aware that I was unable to contact Dr. Curtis who had performed my surgery because he was on vacation.
It was 3 week before receiving a call back from the nurse manager at the GYN for this information. The nurse verified that she did not see discharge instructions specific to required time off for my healing process. In the meantime, my body rejected the implant and experience severe pain upon having to return back to work so soon without the proper time for my body to heal.
It was also prior to my surgery that my HIPPA was violated by manager. Manager was properly notified about my time and dates of my medical leave in which I forward to her via e-mail from my doctor’s office. Holly violated my HIPPA rights by calling my PCP several times in order to ask him for specifics as to why I was being taken off from work. My PCP notified me about the matter and was quite upset that he was contacted for my personal information for one and secondly because she was interrupting his work day by excessively calling his office.
These are just some of the mis-treatments that I have suffered at the actions of Aultman Hospital Supervisor, Director, Peers, and Medical staff. I have been an outstanding employee, with Aultman Health foundation. I have fellow employed ER staff that have written highly esteemed recommendations of reference for me.
In closing, no one should ever have to suffer as much emotional, mental and physical distress as I have via an employer and its company’s counterparts.
E m t discussed to my employer why I took off work that I was admitted to a hospital and stated why. This e m t works at another hospital and was not a responder to me . Can I still file a claim for breach of privacy ? He and I work at a Apple orchard on weekends but he is a e m t and thought he would .tell the manager what problems I have in regards to health conditions
If a client reveals information regarding their care on social media, is it a HIPAA violation if someone from the provider’s office comments on what they shared?
Hi Ron,
Thank you for the comment. As a best practice, provider office staff should not interact at all with patients via social media. A provider office should have a social media policy which clearly prohibits this practice.
That said, if such interaction were to occur, whether a HIPAA violation occurred or not depends upon the content of the comment. I can’t advise on this particular fact pattern without knowing more details, but it appears that a HIPAA violation likely occurred. Feel free to contact me directly with any questions.
Bill
Hi William,
I am a medical professional and was seen in the hospital I work for.. I have heard others say “we were just talking about you earlier” and ” I heard you have this condition” I’m even sure others viewed my records without being my caregivers… Is this a breach in confidentiality? Have they violated my privacy? Has a HIPPA violation occurred?
Thanks for the comment. Only those with a work-related “need to know” should have access to your medical records. If an employee does not such a need to know, they should refrain from further disclosing such information when not necessary for work duties. If your information was accessed or disclosed outside of these parameters, it is possible a HIPAA violation occurred.
I had a medical facility email my medical billing and medical registration form to a co worker trying to collect on the bill that insurance only paid a portion of.
Is this something that needs to be handled through the legal channels?
I was in a in patient care unit, and someone that worked for the facility came up on the floor where I was and said that one of his co workers told him that I was there. Which led to a longer stay because of a setback. I talked to the unit manager and he apologized but the hospital care representative wouldn’t even come and talk to me. Is this a breach of the hippa law?
Tee, It is possible that the individual knew you were at the facility because you were listed in the facility’s directory. Without more information, it is impossible to know whether a breach may have occurred.
A neighbor enteted my bedroom looked at my medications and spreading around neighborhood what can i do Embarrassing
I work for a City Municipality and I was wondering if our HR person divulge information to a third party that is related to me is that a violation of HIPAA? Mind you I am NOT a minor and never authorized any information about myself to be given out to anyone else.
The information the HR person disclosed was likely employment-related information that is exempt from protection under HIPAA. If that is the case, then HIPAA would not apply. However, your employment records may enjoy protection under applicable state law (such as what is commonly referred to as a personnel files act) or even a collective bargaining agreement. If you are concerned about the privacy of your records, you may want to consult with an attorney in your area.
I’m an LPN at at long term nursing home. I like to know if I am in violation of the “Invasion of Privacy Act”? A resident was on the phone with his wife (I knew this only caused he has a routine of talking to her after dinner everyday) I was dispensing medications from my cart which I had stationed in the hall off to the side of his room he talks really loud so that everyone and anyone who was in the hall or passing by could hear everything he is saying, including the 2 other residents whom he shares the same room with. He said something that got my attention and was telling his wife something that was not correct I went to his side of the room, acknowledge him and proceeded to correct what he was saying was incorrect. So now I am on investigational leave and my employer is telling me I invaded the rights to residents privacy. If I did, which was unintentional what sort of reprimand could I get charged for?
I recommend you contact an attorney in your local area to assist you. In many instances, states have requirements specific to nursing homes which a local attorney will be able to advise you on.
I was hurt at work. My boss told me my MRI REPORT before I even went to doctors for follow up. Is this a hipaa violation.
Unaware of the fact that my ex husbands current wife (at the time of this incident) was employed as a LPN at a local clinic, I went to said clinic seeking treatment for addiction. Well, a few months ago they went through a divorce and my ex husband revealed to me that his wife had accessed my personal information more than once and revealed to him that I had been suffering with addiction and all the details that I had revealed to my physician in confidence and she had also encouraged my ex to seek custody of the 8 year old son that he and I have together. My ex husband also told me of two other patients whose privacy had been breached by his wife during this time. She is still currently employed by the same hospital clinic and id like to know if there are any actions that can be taken on my part. I have since learned that this LPN has revealed my previously quiet struggle with addiction to several of her friends and family and now a very large part of our small town community is aware of it. I’m humiliated and hurt beyond imagine. I made up my mind to end my 3 year addiction once and for all before I ended up hurting and embarrassing my family and friends and this visit to this clinic was my first step. Thankfully I received successful treatment from a different provider over time and am now addiction free,
But now the majority of my small town are all aware of the details and extent of my addiction and it has been very painful for me. Is there anything that can be done?
Is it a hippa violation for a receptionist to view your medical records to determine if you can have a same day appt. and then recite to you on the phone while in a public area the medications you are on?
my employer tried to fire me because they “heard” i was missing work looking for another job…. i denied it and showed them both a doctors note and a text from my doctor that my blood work came back from the previous day VERY bad….i called in to say my health was bad and needed to go in to doctor immediately…my boss said that if i didnt come in to bring all my things in as he was going to terminate me…i reluctantly went to work and had to fight for my job which included in fact i was under medical care for a chronic condition….i explained what it was and my manager turned around and not only told my colleagues that i “begged and cried” to keep my job and laughed about it….but also told them the extent of my conversation about health….do i have any recourse?
Hello
I have a new job and it happend to be in the same facility where I have treatment for mental illness and addiction problems. In my first day the receptionist seem me getting my badge activated and stated. “I just called you,you have and appointment tomorrow” in front of the security team and my new co worker…This was very embarrassing. I didn’t think it would be an issue taking a job where i have treatment.but i felt very embarrassed. Did the receptionist violate hippa?
Hello and thank you for this forum,
I have suffered from addiction to prescription medication (9 years) and subsequently heroin (1 year). By the grace of God an event occurred that led me to take steps to get “clean”. I started attending a methadone clinic. I receive methadone daily, weekly uribe drug screen, as well as once to twice weekly counseling. My mother was paying $100/week for me to receive these services. I had to sign a release in order for her to pay for my treatment. The release was only for her to make payment. On December 28th my mother asked and was given a copy if my previous 2 months worth of drug screens. Amphetamines showed up on 2 occassions because I had a cold in November and took sudafed which can cause a false positive for crystal methamphetamine. My mother shared these results with my husband. He told me he wanted a divorce on January 1, 2015 after an 18 year relationship and two children. My mother will not speak to me and is now refusing to pay for my much needed treatment. I spoke to the methadone clinic director as well as the nurse who illegally dispensed my medical records. They apologized profusely and admitted their negligence. This has caused me great heart ache. Without this medication I fear for my life. Is this breach actionable? I’m so confused, scared, and lost.
Thank you very much
I’m sorry my husband asked for a divorce 4 days ago January 1, 2016 not 2015. Thank you
I received a medical claim from my insurance stating I had a baby. I called them to clarify that I never had a baby and they told me that the claim was from another insurance carrier. It appears that other party billed my insurance for my brother’s baby (my neice) just because we had similar information (last name and address). Is this a HIPPA violation?
William, I had a nurse yell and scream at me in front of her office (and everyone in the waiting room) which she even admitted to me that everyone in the office heard about the medications and personal med history that I was taking. She also did not follow her dr’s orders and changed a prescription my doctor who was going to be doing surgery on me the following day to 5 pills because I made a 5 pill comment. I had to plee to get something for after surgery even after the doctor had written out the prescription. I was treated like a drug addict and was treated very disrespectful. I have mental disabilities and had a pretty severe anxiety attack after speaking with Amber the nurse/manager. What are my options? Can I file a civil right and privacy broken complaint?
My grandfather was on hospice for a few days before passing. We notified his estranged family after his passing, and learned that someone in his family was already told he was on hospice. The hospice Organization is from the same town as is the estranged family. We have no connection to this estranged family. I do know that the hospice Organization has patients at a facility that employs 1 or 2 estranged family members.
How should I handle this matter, and should I contact a lawyer?
I was released from a healthcare provider due to an incident at the local ER. The ER doctor later apologized and removed the incident from my record accepting his mistake but the health care provider said the release is a done deal. That being said the health care provider was releasing patients in bulk at the time, at the start of the new year, and they sent my release statement explaining my incident at the ER to another party I have no relationship with with USPS registered mail. The exterior envelope was addressed to them but the letter contents on the inside of the envelope was addressed to me and contained embarrassing and possibly incriminating medical records pertaining to me. So they got my release letter with personal medical records of mine attached to it. I found this out because I received their record via USPS registered mail in the exact same scenario. Basically they put the wrong inside letter in the wrong evelopes and I received her letter with personal info including name and address and medical info pertaining to release and she got mine. They screwed up and got the letters switched around. This is very embarrassing to me due to the reasoning stated of my release (which was proved to be bad info and fixed in my favor a few days later but the person that got my letter knew nothing of this, and me not knowing the type of person or anything about the person other than they were released as well over something serious. They could easily use that info against me (say it’s a future employer, or a person that is out to hurt people and they have my medical info and name and address that I’ve lived at for 9 years. What can I do about this? The worst part is my reason for release that they received proved to be negligent and I was issued an apology by the ER doctor that attached it to my record and it was removed and is no longer on my record. But the person that got my letter knows nothing of the outcome only the false bad info on me.
Hi,
I need help ASAP. I met with a fertility specialist and told her I was a little depressed. She needed consent with my psychiatric nurse practitioner to move forward and after all was said and done my nurse practitioner made false and damaging statements about me and implied I couldn’t handle being pregnant, my future children would be taken away from me, there were serious concerns as to how I would treat children, now this facility is denying me fertility treatment or delaying me and I’m already 36 years old. I’m beyond furious this n.p. ruined my reputation. What do I do now????? I’ve never had any children and there is no evidence whatsoever to back up thing up.
If an employee hides patient test results for 2 months in there personal drawer then moves them to the shred so no one else can find them who is accountable for this?
I don’t know how old this thread is but I’m looking for answers and thought I’d give this a try so long story short …
My first sons fathers girlfriend was a medstar employee and when me and my sons father made a agreement for visitation I went with my child so he would not be scared going with somebody he never knew . my sons father made a comment about knowing medical stuff about me and laughed when I asked how did he know.I knew that his girlfriend worked in the medical field but just left it at that a couple months later I called somebody in management at medstar and told them I had reason to believe she accessed my medical records they told me they would do an investigation and contact me back a month later I received a letter saying that they did in fact find out that she accessed my medical records but not only mine my first son (her boyfriends child ) and also my youngest son that is not his they informed me she has been fired and no longer has accsses to the system . but I’m just wondering what can be done from here I don’t know where to start and I know that is a violation of the hippaa law and this has effected me in more ways then one I’m hoping to hear something back thank you so much
I went to er at a VA hospital by ambulance. I had been in a car accident and hit my head and had abnesha for about 10 days. The medical staff told the security officer the results of my drug screen. Is that a violation of my hippo rights?
Last Saturday my 11 year old daughter told me she had a doctors appointment on Tuesday. Her appointment was at my wife’s place a work. I asked my wife to go ahead and pay the bill. I am the primary insurance holder for my kids. When my ex brought my duaghter in for her appointment, they told her it had already been paid for by my wife. At that time my ex caused a big scene saying that she was going to sue for violation of HIPPA. My wife only knew about the appointment because my daughter told us. Is she in violation of HIPPA for paying the doctor bill? I am required to pay half per court order.
I am currently undergoing treatment and have been for a while now. I am also Active Duty Military getting ready to retire in the next couple months. people in my chain of command have asking my psych certain questions pertaining to what we talk about. My psych told me about this and said that she will not talk to them without me signing a waiver to do so. however they are flooding her phone inbox by leaving messages asking about my treatment. is this considered a HIPAA violation and if so what can i do on my part.
I had a doctor appointment today which I never told anyone about. Two weeks ago I had surgery and upon my visit today was refused medication. I’m in a custody battle for my child and have court ordered visitation. Upon attempting to pick up said child a mere 6 hours later, I was met by his mother who had called the police stating that she refused to let me have him because she knew for a fact that I had a doctors appointment earlier and was refused medication and facing prescription fraud charges. I’m unaware of any charges pending at this time and no one knew what had transpired at the doctors office but me. There’s no way she could have known what we even talked about at my visit without someone from the office telling her. I told no one. The police even asked her where she could have heard this so soon and she replied she had her sources.