Learn The Law and Represent Yourself in Court
Share
-
HIPAA Violations: Not A Cause Of Action For A Lawsuit
There is much confusion among the general public, and even among health care workers, as to the investigation, penalties and individual rights regarding HIPAA violations. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.
Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If an entity is not a covered entity, it does not have to comply with the Privacy Rule or the Security Rule. Covered entities include health care providers, health plans and health care information clearing houses. Your best friend, family member or neighbor, unless they are also your health care provider, is not a covered entity.
The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals’ protected health information, whether electronic, written, or oral. The Security Rule, a Federal law that protects health information in electronic form, requires entities covered by HIPAA to ensure that electronic protected health information is secure.
The U.S. Department of Health and Human Services’ Office for Civil Rights(OCR) is responsible for enforcing the Privacy and Security Rules. Enforcement of the Privacy Rule began April 14, 2003 for most HIPAA covered entities. HIPAA does not create or allow for an individual to bring a lawsuit against a covered entity. If an individual believes a violation of their right to privacy or private medical information security under HIPAA has occurred, they must file a complaint with the OCR if they wish action be taken. Individuals of course have the right to file a lawsuit based on violation of privacy, etc., but such lawsuits are not a part of HIPAA itself.
The OCR investigates all complaints according to a defined process. If a violation has occurred, the OCR may fine the entity and/or have the entity take corrective action. For criminal misuse of private information the Department of Justice may bring criminal charges.
File a complaint HERE.
HHS HIPAA information hub HERE.
An individual, as was the case before HIPAA, may file a lawsuit under the common law tort of invasion of privacy if personal medical information is used inappropriately. However the lawsuit may NOT be based on HIPAA rules being violated. Such lawsuits must meet the following elements to prevail:
1. Public Disclosure: The disclosure of facts must be public. Another way of saying this is that the defendant must “give publicity” to the fact or facts in question.
2. Private Fact: The fact or facts disclosed must be private, and not generally known.
3. Offensive to a Reasonable Person: Publication of the private facts in question must be offensive to a reasonable person of ordinary sensibilities.
4. Not Newsworthy: The facts disclosed must not be newsworthy. Stated differently, the facts disclosed must not be a matter of legitimate public concern.
Unlike HIPAA violations where an entity can be fined by the government for the violation itself independent of any damage or harm caused, a lawsuit for invasion of privacy must show actual damages, but proof of special damages is not required. The act of invading one’s privacy, while necessary to mount a claim, is in and of itself not evidence of damage and insufficient for a lawsuit. However, also unlike defamation, the plaintiff does not have to prove special damages, meaning no actual harm must be proven in order to recover for them. Unlike defamation, where compensation is confined to actual injury, for invasion of privacy, damages are extended to presumed or punitive damages. Invasion of Privacy is a willful tort which constitutes a legal injury, and damages for mental suffering are recoverable without the necessity of showing actual physical injury.
See our related latest article on this subject: Lawsuits for Unauthorized Release of Private Medical Information which discusses the type of lawsuit one can potentially file.
Instead of caring for me and sending lab work to my doctor in NYC (which was part of the plan)
My ex-doctor sold me out and published an article about a potential medical breakthrough and reversal of Premature Ovarian Failure. In fact that is the title of the article. But that never happened! Instead of getting better i got much worse and was brain washed that I was getting better.The doctor used all of my medical history and lab work to prove something he new himself to be a bold face lie! Not only was he negligent in my care he has now without my consent published an article (and even thanked me for allowing him to use all of my health information) for a cause that turned out to be the farthest thing from the truth. After reviewing the article my present DR told me that I have a giant lawsuit on my hands and that this dr is dangerous and purely out to make a name for himself anyway possible. The facts, the doctors, the quotes and the events are undeniably me. He even left out certain blood tests with an n/a that were right in front of him because they did not fit with what he was trying to prove. All the while I am getting sicker from 12 autoimmune diseases and he knows it when in June a CRP test comes back highly elevated. That was the beginning of the demise of my thyroid and adrenal glands as was seen just two months after our final appointment. Though I did go back to his office where the senior doctor and office manager tried to soothe me and told me how sorry they were and how they would make sure they would get me to the right doctors. The senior doc also dx’d me with a rare disease called APECED or Pplyglandular Endocrine disorder. Then I left the office and never saw him again. He had also taken some blood work at the time…I imagined it would be 5 pages at least. Nope 1 page in which he decided or I assume had his medical out to say I was healthy and fine. The article came out just a few weeks ago(July 12 2010) After calling the publisher to inform them the article was complete and utter bs there question to me was”How did you get this article” it is for doctors only!…The article is now giving women false hope on many websites including the NIH and Medscape!
ONE MORE COMMENT
THANKFULLY I HAVE THE SUPPORT OF FOUR DOCTORS WHO ARE EMAILING ME INSTRUCTIONS ON FILING AND WRITING LETTERS TO BACK THIS ALL UP!
IT SEEMS THEY ARE JUST AS HORRIFIED AS I AM…AND WANT JUSTICE SERVED!!!
NOW ALL I NEED IS A LAWYER TO HANDLE IT AS I AM HEADING TO THE MAYO CLINIC FOR TREATMENT… AND PRAYING FOR A MIRACLE!
[...] http://lawmedconsultant.com/645 [...]
I am curious about “Invasion of Privacy.” That seems to be a difficult tort to bring to a successful conclusion. The damages would probably be nebulous, somewhat like defamation.
I have linked to this article on the blog I write for WebMD/Medscape, “The Verdict Is In.”
http://boards.medscape.com/forums?128@@.2a300761!comment=1
TonyFrancis:
Thanks for the mention in your article! It seems to depend on what state you are in as to how ‘easy’ an Invasion of Privacy action will be to prevail in. Each state has their own definitions and laws regarding this tort.
Actual damages in an Invasion of Privacy suit must be specifically proven. (I lost my job, etc. due to the disclosure) However, Special Damages in an Invasion of Privacy suit, unlike those in a Defamation action, do not have to be specifically proved in general. In other words, actual harm does not have to be proven to recover presumed or punitive damages. The remedy, absent actual damages, is presumed/punitive damages which is always a nebulous matter left in the hands of the jury.
We have just published a related item: lawsuits-for-unauthorized-release-of-private-medical-information
http://lawmedconsultant.com/3128
Thanks for your comment. I usually post something new on the blog “The Verdict Is In” on Medscape/WebMD on Thursdays. So it was a pleasant surprise to discover your site. I am always looking for something new.
The old tort of invasion of privacy appears to be set for expansion, depending on the jurisdiction.
We had an interesting post on the closed blog – it was a psychiatrist who wondered about releasing her records concerning a child patient to the “other non-custodial parent” -the father – when those records contained medical information about the health of the custodial mother. It is kind of a dilemma. The non-custodial parent has a right to the child’s records, but not the mother’s information.
We finally decided the only solution would be to scrub the original records of the mother’s medical information, or in the alternative, dictate a short summary of the child’s records for the court to review.
Anyway, I will keep you posted of new posts. Thanks.