Here’s where we unpack HIPAA laws, and how you can pursue financial compensation if your personal health information is shared without your permission.
The Health Insurance Portability and Accountability Act (HIPAA) is a set of complex federal rules and regulations that govern how medical institutions and their business associates treat your private health information (PHI).
Penalties for HIPAA violations can be substantial, ranging from fines to criminal prosecution and imprisonment.
Even though it’s against the law for medical providers to share your health information without your permission, under federal law you don’t have the right to file a lawsuit or ask for compensation.
Despite HIPAA limitations, you do have the right to pursue compensation for harmful violations of your medical privacy. Here’s what you need to know.
Why We Need HIPAA Laws
The main goal of the Health Insurance Portability and Accountability Act is to protect the privacy of your personal health information. HIPAA also works to create systems of confidentiality and accountability within healthcare facilities.
HIPAA is a legislative act made up of five titles as described below:
Title I: Protects health insurance coverage for workers and their families that change or lose their jobs. Title I also prohibited new health plans from denying coverage due to a pre-existing condition if the person was covered under another plan before the change.
Since 2014, under the Affordable Care Act, health care insurers cannot deny coverage or increase premiums based on a pre-existing condition, whether or not the person had prior insurance coverage.
Title II: Prevents Health Care Fraud and Abuse; Medical Liability Reform; Administrative Simplification: Requires the establishment of national standards for electronic health care transactions and national identifiers for providers, employers, and health insurance plans.
Under Title II The U.S. Department of Health and Human Services (HHS) develops and publishes the rules about private health information that must be followed by all health care organizations covered by HIPAA.
Title III: Provides guidelines for pre-tax medical spending accounts. Title III makes changes to health insurance laws about deductions for medical insurance.
Title IV: Has guidelines for group health plans, such as the kind of health care plans offered by many employers.
Title V: Governs company-owned life insurance policies. Title V also makes provisions for treating people without United States Citizenship.
When Does HIPAA Protect Your Private Health Information?
HIPAA does not always protect the privacy of your personal health information. Under federal rules, only certain types of “covered entities” are governed by HIPAA. Covered entities are categories of medical facilities and related businesses that might have access to your personal health information:
- Health care providers: Health care providers include medical doctors, osteopathic doctors, dentists, chiropractors, nurses, lab technicians, pharmacies, and medical administrators supporting these providers.
- Health plans: Health plans include HMOs, PPOs, Medicaid, Medicare, company medical plans, and military and veteran health care programs.
- Health care clearinghouses: Health care clearinghouses include individuals or companies hired to process individuals’ personal health information. For example, billing service companies, health information systems, transaction facilitators, and other businesses that handle PHI.
- Business associates: A “business associate” is a person or entity that performs certain functions on behalf of a covered entity who may have access to patient information. Examples of business associates are CPAs, attorneys, medical transcription services, and hospital utilization consultants.
How Can Someone Get My Health Records?
HIPAA’s “Privacy Rule” covers a person’s private health information, which includes medical bills, claim information, prescriptions, lab results, medical opinions, and all other protected forms of PHI.
Under the privacy rules, your PHI cannot be distributed without your written authorization.
It’s important to know the difference between patient consent and patient authorization:
Consent generally means giving permission to have a medical procedure performed, or for medical information to be shared with doctors during treatment.
Authorization generally means giving permission for your PHI to be released to third parties, other than the original medical facility providing treatment.
To be a legitimate authorization, there must be a written document, signed by the patient, giving the named medical facility permission to use specific PHI for matters other than medical treatment, payment, or surgeries.
The authorization applies when a patient’s PHI will be disclosed to a third party, such as an insurance company, billing company, or even another doctor.
A written authorization for release of medical records is also used to gather important proof of damages in injury cases, like auto accidents.
The patient authorization must include a description of the specific PHI to be disclosed, the person or company to whom the PHI will be sent, an expiration date for the authorization, and the purpose of the disclosure.
Another form of written authorization is a “Power of Attorney” that allows someone to conduct business and manage personal affairs on your behalf.
Court Orders and Subpoenas of Medical Records
Under HIPAA, covered entities like your doctor’s office or pharmacy are not allowed to release your private health information without your written authorization, except under limited circumstances:
Court Order: A judge signs a court order. Your medical provider must release copies of the requested records as stated in the court order. The medical provider does not have to notify you of the request under federal law, although some states may have notification requirements.
Subpoena: A subpoena is not the same as a court order. Subpoenas can be issued by a court clerk or an attorney in the case. Under HIPAA privacy laws, your medical provider can only hand over copies of your records in response to a subpoena after trying to:
- Notify you of the subpoena so that you have an opportunity to object to the disclosure of your records, or
- Seek a qualified protective order from the court for the requested information
Disclosure of any portion of the patient’s PHI without authorization is a potential violation of HIPAA laws.
Case Summary: $1.8 Million Verdict for Disclosure of Pharmacy Records
Indiana resident Abigail Hinchy used her local Walgreen pharmacy to handle all her prescription medications, including birth control.
Hinchy was horrified when her former boyfriend, Davion Peterson, obtained copies of her pharmacy records and attempted to use the information against her.
Peterson threatened to disclose to Hinchy’s family that she was being treated for genital herpes and that she had stopped using birth control for two months before becoming pregnant.
Hinchy later learned that Davion Peterson had been dating and married Audra Withers. Withers worked as a pharmacist at the Walgreen where Hinchy filled all her prescriptions.
Through her attorneys, Abigail Hinchy filed a professional malpractice lawsuit against Walgreen and the pharmacist who breached her medical privacy.
The jury awarded Hinchy $1.8 million in damages. The verdict was upheld on appeal.
Legal Recourse for HIPAA Violations
Contrary to what many people believe, you cannot sue a medical entity for violating your HIPAA rights.
In legal terms, a HIPAA violation does not allow a “private right of action.” That means the government can punish the medical provider or business associate, but any penalties paid by the violator go to the government, not to you.
You do have the right to report HIPAA violations to the Office of Civil Rights (OCR). You must file your complaint within 180 days of the violation.
File your HIPAA complaint online using the U.S. HHS Office for Civil Rights Complaint Portal.
After the investigation is complete, the Office for Civil Rights will issue a letter describing the resolution of your complaint.
If a covered entity was found to violate HIPAA, they must take corrective actions and may be fined or subject to criminal prosecution.
Federal Penalties for Violations
The severity of the penalties imposed on health care providers or other entities that violate HIPAA privacy rules depends on whether the entity knowingly violated the rules.
Penalties for HIPAA violations are most severe when the entity has intentionally ignored the rules.
The four categories used for the penalty structure are as follows:
Category 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care been taken to abide by HIPAA Rules
Category 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care (but falling short of willful neglect of HIPAA Rules)
Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation
Minimum fines, depending on the category, can range from $100 to $50,000 per violation. In one year, the maximum total fines per category is capped a $1.5 million.
Medical Privacy Under State Laws
If a medical privacy violation resulted in damages, meaning you suffered some kind of verifiable financial loss, you might have a civil claim against the individual who violated your HIPAA rights.
Each state has different privacy laws governing personal health information. Talk to a personal injury attorney about your rights to compensation for HIPAA violations.
Case Summary: $853,000 Verdict Against Medical Center
The Connecticut Supreme Court ruled that violations of medical privacy under HIPAA could lead to tort liability under Connecticut law, paving the way for Emily Byrne to win her lawsuit against the Avery Center.
Byrne and her ex-boyfriend, Andro Mendoza were involved in a custody battle over their daughter. They had broken up about the time Byrne became pregnant.
Andro Mendoza’s attorneys sent a subpoena to the Avery Center for Obstetrics and Gynecology, seeking the release of Emily Byrne’s medical records.
The Avery Center complied with the subpoena without first notifying Emily Byrne. Mendoza and his legal team viewed her records.
Byrne did not authorize the release of her medical records and was not given the opportunity to object to the subpoena of her records, as required by HIPAA.
The jury awarded $853,000 to Emily Byrne because her medical records were improperly released without her knowledge.
When to Hire an Attorney
You won’t get far trying to handle a HIPAA violation on your own in state court.
Medical providers and associated businesses are protected by malpractice and liability insurance. Insurance companies have armies at the ready to fight claimants like you.
The defense team will start by arguing you don’t have a “private right of action” under HIPAA and won’t give up. They have no reason to offer a settlement if you are on your own. They know you probably won’t have the energy or the legal know-how to beat them.
You don’t have to fight alone, and you don’t need lots of money up front to hire a successful personal injury attorney. Most attorneys don’t charge for their initial consultation, and usually represent clients on a contingency fee basis.
In other words, the attorney’s fees aren’t paid unless your case is settled or your attorney wins a verdict in court.
There’s too much at stake to wait. Aside from the deadline for filing a HIPAA complaint, each state has a statute of limitations, meaning a deadline for filing lawsuits. If you miss the deadline, you lose your chance to pursue compensation.
Act now. There’s no obligation, and it costs nothing to find out what a skilled attorney can do for you.
How Much is Your Injury Claim Worth?
Find out now with a FREE case review from an attorney…
HIPAA Violation Questions & Answers
Pharmacy staff took my personal information to find me on Facebook…
I was at a pharmacy drive-up window that I have been going to for years, and picked up my prescription without issue. Several hours later,…
I am a patient at the same hospital where my husband works. I asked my husband to drop off a stool sample for me. He…
Insurance carrier falsified Release of Medical Information…
The employer’s worker’s comp insurance carrier submitted a falsified Authorization for Release of Protected Health Information to the medical center (personal primary care) and obtained…
Is this an unauthorized release of medical information?
My wife is a federal employee that recently succumbed to a bought of depression, anxiety and panic episodes. A medical assessment was deemed necessary. My…
My medical records were stolen and used against me in court…
My ex obtained my medical record illegally with my stolen medical record number. He obtained it in an attempt to use it against me in…
I received someone else’s confidential medical test results in the mail…
I took a coronary calcium scan test based on the recommendation of my primary care physician. He referred me to a cardiologist at a hospital…
Is it a violation to discuss private medical info in semi-private room?
A recent hospitalization involved me being placed in a room along with another patient. I requested a private room, as I didn’t want any of…
Mental health clinician disclosed bedbug infestation…
I get in-home services for my autistic grand daughter from a mental health clinician who provides services at my daughter’s home. My grand daughter lives…
Medical Information Shared With My Sister Without My Consent…
I visited a plastic surgeon’s office to have a skin cancer lesion removed from my ear lobe. However, due to an ear infection I was…
I went to the doctor with a parasite infection. I was on a juice fast and found parasites in my stool after several days. I…