The Health Insurance Portability and Accountability Act (HIPAA) is a set of complex federal rules and regulations that govern how medical institutions and their business associates treat your private health information, known as “PHI.” Penalties for HIPAA violations can be substantial, ranging from fines to criminal prosecution and imprisonment.
Penalties for Violations
Claims of HIPAA violations are investigated by the Office of Civil Rights (OCR), a division of the U.S. Department of Labor. The two most important HIPAA sections addressing violations are Federal Public Law Sections 104-191 and 1177.
Under HIPAA Law Section 104-191, “General Penalty for Failure to Comply with Requirements and Standards,” the U.S. Department of Labor can impose fines beginning at $100 on an individual for each day the violation continues, up to a maximum of $25,000 per year.
Under HIPAA Law Section 1177, “Wrongful Disclosure of Individually Identifiable Health Information,” the U.S. Department of Labor can impose fines beginning at $50,000 and/or up to a year in jail, all the way up to a fine of $250,000 and/or up to ten years in jail for an individual. Under HIPAA rules, an “individual” can be a medical entity, institution, or an executive of either.
HIPAA applies to the following four medical entities:
Health plan organizations
Health plans include HMOs, PPOs, Medicaid, Medicare, and other individuals or medical groups that pay the cost of medical care for their insured.
Health care clearinghouses
Health care clearinghouses include individuals or companies which are paid to process individuals’ personal health information (PHI). This includes billing service companies, health information systems, transaction facilitators, and other entities that handle PHI.
Health care providers
Health care providers include any person or organization that charges patients for providing treatment. This includes medical doctors, osteopathic doctors, dentists, chiropractors, nurses, lab technicians, and medical administrators supporting these providers.
Business associates are extensions of the previous three groups. Examples of business associates are CPAs whose accounting services include a review of PHI, attorneys whose legal services include access to PHI, and pharmacists with similar access to PHI.
Why We Need HIPAA Laws
HIPAA exists for two main reasons, to ensure you maintain health insurance when changing jobs, and to protect the privacy of your personal health information. Let’s discuss these protections, known as Title I and Title II.
Title one ensures that if you change jobs, you can maintain your health insurance without being penalized.
In the past, people with health problems were afraid if they left their jobs or were fired, they wouldn’t be able to get health insurance with their new employer, or if they were able to get insurance, their pre-existing condition would be excluded.
This meant if you started your new job with a pre-existing injury or illness, your new HMO or PPO could exclude coverage for that prior medical condition. Even if you were to find another health insurance company to cover your pre-existing condition, the premiums would be extremely high.
Today, health insurance companies cannot refuse to provide medical coverage based on a pre-existing condition. Nor can they charge higher premiums based on your condition.
Example: Pre-existing Condition Violation
Gerard worked for the last twenty years as a driver for a local delivery company, and had excellent coverage under his HMO. About ten years ago Gerard was diagnosed with cardio-myopathy, a disease of the heart that can be controlled by taking several expensive medications. Gerard’s HMO covered all his medical bills related to his cardio-myopathy.
Gerard’s employer went out of business, but he was able to get full-time work with another company that provided an excellent health insurance package through an HMO. A month after beginning his new job, Gerard received a letter from the HMO stating his pre-existing heart condition was excluded from coverage.
Gerard filed a complaint with the Office of Civil Rights (OCR). The OCR found the HMO to be in direct violation of HIPAA. They were fined $50,000, and ordered to immediately cover all the costs of treatment for Gerard’s cardio-myopathy.
Title two protects your personal health information from being released to third parties without your express consent.
HIPAA’s “Privacy Rule” covers a person’s private health information, which includes medical bills, claim information, prescriptions, lab results, medical opinions, and all other protected forms of PHI. Under this section, your PHI cannot be distributed without your written authorization.
It’s important to know the difference between patient consent and patient authorization. Consent generally means giving permission to have a medical procedure performed, or for medical information to be shared with doctors during treatment. Authorization generally means giving permission to have one’s PHI distributed to third parties, other than the original medical facility providing treatment.
To be a legitimate authorization, there must be a written document, signed by the patient, giving the named medical facility permission to use specific PHI for matters other than medical treatment, payment, or surgeries. The authorization applies when a patient’s PHI will be disclosed to a third party, such as an insurance company, billing company, or even another doctor.
The patient authorization must include a description of the specific PHI to be disclosed, the person or company to whom the PHI will be sent, an expiration date for the authorization, and the purpose of the disclosure. Disclosure of any portion of the patient’s PHI without authorization is a potential violation of HIPAA laws.
Example 1: Violation of HIPAA’s Privacy Rule
Susan went to her family doctor complaining of bloating, weight loss, jaundice, dark urine, and nausea. After several tests, her physician told her she was suffering from pancreatic cancer. Several days later, Dave called Susan’s physician’s office, identified himself as her husband, and asked about Susan’s test results. The receptionist told Dave his wife had been diagnosed with advanced pancreatic cancer.
This is a clear case of a violation of HIPAA’s Privacy Rule, even though Dave was Susan’s husband. The receptionist was prohibited from disclosing that information to Dave. Her breach of confidentiality may subject her and the doctor to HIPAA penalties.
Example 2: Violation of HIPAA’s Privacy Rule
Amy was going through a medical malpractice lawsuit against her doctor, and her attorney was preparing to take the depositions of the doctor and his staff. The doctor’s attorney sent a letter to Amy’s former doctor demanding he turn over her medical records, including all of the doctor’s notes regarding her predilection for opiate abuse, and repeated threats to sue him for medical malpractice.
Believing the attorney’s letter was “official,” the doctor advised his staff to make copies of all of Amy’s medical records and forward them to the attorney. He did so without contacting Amy or obtaining her express written authorization.
While in trial, the doctor’s attorney introduced into evidence Amy’s prior medical records, especially the doctor’s notes about her “drug seeking behavior,” and repeated threats of suing for medical malpractice. As a result, Amy’s case was doomed, and the jury ruled in favor of the doctor. Amy’s former doctor violated HIPAA’s Privacy Rule, and this breach of confidentiality subjects him to HIPAA fines and penalties.
Legal Recourse for HIPAA Rights Violations
Contrary to what many people believe, you cannot sue a medical entity for violating your HIPAA rights. Your only recourse against a HIPAA violation is to file a complaint with the Department of Labor’s Office of Civil Rights, after which an investigator will investigate your allegations and determine if a HIPAA violation took place. If so, the violator may be fined or subject to criminal prosecution.
To report a HIPAA violation, go to this webpage. There you can download the form to file your complaint by written mail, email, or via fax. Provide the name(s) of the medical entity that violated your HIPAA rights, and write a brief explanation of the facts surrounding the violation, including the evidence you having proving the violation occurred.
Private Legal Remedies
If the violation resulted in damages, meaning you suffered some kind of verifiable financial loss, you may have a civil claim against the individual who violated your HIPAA rights.
Example: Monetary Damages from HIPAA Violation
Jane was interviewing for a new job, and had already been selected for the position. She was negotiating the terms of her employment contract, when a background check turned up her family doctor’s contact information.
The background investigator then contacted Jane’s doctor, saying he was authorized to obtain copies of her medical records for her new employer. The doctor’s office released Jane’s records, which revealed she was being treated for HIV. Jane never authorized this information to be disclosed to any third parties, especially the background check company.
Days after the information was released, Jane’s offer of employment was suddenly withdrawn, citing another candidate as having better qualifications.
In this instance, Jane could sue her doctor for the damages caused by his HIPAA violation. She’d likely have the basis of a “tortious interference with contract” case. She’d need to prove that the withdrawal of the employment offer was directly related to the disclosure of her medical records. Jane’s damages would be the loss of income and benefits she would have been entitled to if she’d been hired.
Further, if after the OCR investigated her complaint, they found the doctor to have violated HIPAA laws, Jane could use that finding as strong evidence in the trial. Additionally, Jane could contact the State Medical Board and file a complaint of unethical practice.
If an unauthorized release of your PHI resulted in financial damages, you should consult an attorney with extensive experience in HIPAA law. In some cases, depending on your damages, an attorney may accept your case on a contingency fee basis, meaning you won’t have to pay any money until, and unless the attorney settles your case or wins it at trial.
How Much is Your Injury Claim Worth?
Find out now with a FREE case review from an attorney…
Visitor Questions on Hospital Malpractice
Search for a Previously Answered Question
I was at a pharmacy drive-up window that I have been going to for years, and picked up my prescription without issue. Several hours later, the person that rang up my transaction and gave me my medication at pickup contacted me on Facebook, without my permission, without me actually knowing him. He said at one... Read More.
An attorney submits proper documentation for emergency medical leave and has to postpone a trial. Can a judge then legally demand that the attorney consent to release her medical information to the court? If so, under what rules? Thank you for any information you can provide. Read More.
I am a patient at the same hospital where my husband works. I asked my husband to drop off a stool sample for me. He dropped the sample off and later that day a tech asked him if I was still vomiting or having diarrhea. My husband was confused and the tech asked if I... Read More.
The employer’s worker’s comp insurance carrier submitted a falsified Authorization for Release of Protected Health Information to the medical center (personal primary care) and obtained my protected health information, which was non-industrial and not related to any current injury, and sent those records directly to a QME doctor. The claims administrator literally took white tape... Read More.
My brother in law is a retired OB/GYN. He prescribed my husband (his younger brother) thyroid medication for hypothyroidism for a brief period of time. This was after he retired. My brother in law, the doctor, tried to diagnose his brother (my husband) with having Bipolar Disorder. My brother in law does not specialize in... Read More.
My wife is a federal employee that recently succumbed to a bought of depression, anxiety and panic episodes. A medical assessment was deemed necessary. My wife signed an “Authorization for disclosure of information” pursuant to the Privacy act of 1974. The authorization was for assessment by the Federal Occupational Health Services. Unfortunately, the information did... Read More.
I recently was out of work for over 30 days and filed a claim with my disability insurance. Their form had where my doctor signed and stated when my illness began and that I last had it over 2 years ago. I also sent them three months of doctor’s notes which they asked for. This... Read More.
My ex obtained my medical record illegally with my stolen medical record number. He obtained it in an attempt to use it against me in our custody trial, which he ended up submitting as evidence. He made multiple copies of it and disclosed this private information to his girlfriend. My disorders have never gotten in... Read More.
My health care provider seems to have merged my child’s records with another child that is not ours. They now share the same medical information such as allergies and vaccinations. I have called to inform them of the problem, but they for the most part do not believe me. I have access to this other... Read More.
I think there was a HIPAA Violation at my workplace. I was hospitalized back in August and released the beginning of September. I had all release paper work faxed into my workplace. I seems someone forgot my papers in the break room for everyone to see. Since bringing this to their attention I have been... Read More.
I took a coronary calcium scan test based on the recommendation of my primary care physician. He referred me to a cardiologist at a hospital in my area. I then received in the mail, the results of the test for someone else. The person’s name is clearly indicated on the test result, while the envelope... Read More.
I am a commissioned peace officer/investigator for a county government agency in the State of Colorado. I work for a county District Attorney’s office and I carry a firearm as part of my job. I sought mental health therapy through a psychologist specializing in police and public safety psychology. The DA’s Office pays for this... Read More.
A home health aid was off duty and went to a clients home that had cancelled service for the day. Upon calling the office, they agreed to come check on the client. The home health aid lived close by and went home to use the restroom. As she was leaving her home to go back... Read More.
A recent hospitalization involved me being placed in a room along with another patient. I requested a private room, as I didn’t want any of my private medical details discussed in front of other patients. I was refused. I even asked how they can be compliant with HIPAA laws in these situations, and was just... Read More.
I get in-home services for my autistic grand daughter from a mental health clinician who provides services at my daughter’s home. My grand daughter lives with me and I am her guardian. However, the tutor and clinicians provide services at my daughter’s home who lives across the street from me. Because I am the guardian... Read More.
I recently left a major hospital where I was employed for over two years. A few employees in my area accessed my medical records for their own personal curiosity, and my medical condition was the subject of discussion in my old office. Is this a HIPAA violation? Only one of these people is an actual... Read More.
On 8-13-14, I had an allergic reaction to epoxy received from my previous job. That day I tried setting up an appointment through a referral line, because my doctor who has treated me for 6+ years was no longer in family practice. In order to see me, the doctors needed my medical records. Myself, the... Read More.
I had posted a comment in a public Facebook forum about the rude nurse that took care of me at our local hospital. The response was basically what I expected, living in a small town. Then someone posted some of my private medical information, my insurance type and why I had been at the hospital.... Read More.
I was not feeling good, so decided to sign up and go to the VA. The doctor advised me to have some vaccines and I did. She then wanted to do blood test, and advised me to take an HIV test, just to rule it out. I said okay even though I had no reason... Read More.
I was given up for adoption when I was born. My birth mother decided that she wanted to find me and hired a private investigator. My birth mother called the hospital to get some information from them: birth certificate number, date I was born, etc., so she could give it to the PI to more... Read More.
I received a letter from the health system, where my daughter is a patient, informing me that an unencrypted thumb drive with her personal information was stolen in July of this year. Although they claim her social security # was not included in the stolen information, I still have concerns that her name, medical record... Read More.
I work as a case worker at a Mental Health Facility. We contract with the jail and often have clients who end up in jail, then continue mental health services in order to get medications and have caseworkers see them in jail. A current client of mine was recently sent to jail. The protocol states... Read More.
A Home Health Aide (HHA) hired to care for my dying mother did not agree with our family decision to admit her to a hospice. She lived in Colorado at the time. As retribution, the aide posted a review of our family business online, disclosing my mother’s medical condition, medications, and her doctor’s name. She... Read More.
My husband had a stroke in the ECU (Extended Care Unit), which was not noted for over four hours. Despite hourly worsening symptoms, the nursing notes say “patient remained the same.” I filed a complaint with our Nursing Board, and they investigated twice, but found the RN did no wrong. Shortly after this, we were... Read More.
In two cases, a licensed professional counselor violated HIPAA by sharing information with a third party about a client who had not given written permission to do so. Both incidents happened within the past year. In the first case, the client knows about the disclosure. In the second case, the client does not know about... Read More.
I attended a consultation with a local cosmetic surgeon for a breast augmentation, specifically, a “remove and replace” due to the fact I have had my current implants just over twenty years. The consultation went well and I was provided with an estimate of medical fees to which I was very pleased. Due to the... Read More.
I visited a plastic surgeon’s office to have a skin cancer lesion removed from my ear lobe. However, due to an ear infection I was sent from the surgeon’s office to the office of a local infectious disease physician to clear up the ear infection first. Here is where I believe my rights were violated…... Read More.
I was at a concert last night and broke my arm. I was taken to a nearby hospital by ambulance and was placed in the emergency room. They tested my urine before taking the x-ray of my arm. The only person allowed in the room to visit me happened to be my very good friend’s... Read More.
I went to the doctor with a parasite infection. I was on a juice fast and found parasites in my stool after several days. I actually brought a sample to the doctor and she sent me for lab work twice. Both times I was told it was negative and no medication was given. Well I... Read More.
I went to the hospital with dizzy spells. They ran a blood test then came back and told me I was pregnant in front of a room full of people, including a few I did not want to know. They also left me with an IV in my arm pinned to the wall, and when... Read More.