There is much confusion among the general public, and even among health care workers, as to the investigation, penalties and individual rights regarding HIPAA violations. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.
Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If an entity is not a covered entity, it does not have to comply with the Privacy Rule or the Security Rule. Covered entities include health care providers, health plans and health care information clearing houses. Your best friend, family member or neighbor, unless they are also your health care provider, is not a covered entity.
The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals’ protected health information, whether electronic, written, or oral. The Security Rule, a Federal law that protects health information in electronic form, requires entities covered by HIPAA to ensure that electronic protected health information is secure.
The U.S. Department of Health and Human Services’ Office for Civil Rights(OCR) is responsible for enforcing the Privacy and Security Rules. Enforcement of the Privacy Rule began April 14, 2003 for most HIPAA covered entities. HIPAA does not create or allow for an individual to bring a lawsuit against a covered entity. If an individual believes a violation of their right to privacy or private medical information security under HIPAA has occurred, they must file a complaint with the OCR if they wish action be taken. Individuals of course have the right to file a lawsuit based on violation of privacy, etc., but such lawsuits are not a part of HIPAA itself.
The OCR investigates all complaints according to a defined process. If a violation has occurred, the OCR may fine the entity and/or have the entity take corrective action. For criminal misuse of private information the Department of Justice may bring criminal charges.
File a complaint HERE.
HHS HIPAA information hub HERE.
An individual, as was the case before HIPAA, may file a lawsuit under the common law tort of invasion of privacy if personal medical information is used inappropriately. However the lawsuit may NOT be based on HIPAA rules being violated. Such lawsuits must meet the following elements to prevail:
1. Public Disclosure: The disclosure of facts must be public. Another way of saying this is that the defendant must “give publicity” to the fact or facts in question.
2. Private Fact: The fact or facts disclosed must be private, and not generally known.
3. Offensive to a Reasonable Person: Publication of the private facts in question must be offensive to a reasonable person of ordinary sensibilities.
4. Not Newsworthy: The facts disclosed must not be newsworthy. Stated differently, the facts disclosed must not be a matter of legitimate public concern.
Unlike HIPAA violations where an entity can be fined by the government for the violation itself independent of any damage or harm caused, a lawsuit for invasion of privacy must show actual damages, but proof of special damages is not required. The act of invading one’s privacy, while necessary to mount a claim, is in and of itself not evidence of damage and insufficient for a lawsuit. However, also unlike defamation, the plaintiff does not have to prove special damages, meaning no actual harm must be proven in order to recover for them. Unlike defamation, where compensation is confined to actual injury, for invasion of privacy, damages are extended to presumed or punitive damages. Invasion of Privacy is a willful tort which constitutes a legal injury, and damages for mental suffering are recoverable without the necessity of showing actual physical injury.
See our related latest article on this subject: Lawsuits for Unauthorized Release of Private Medical Information which discusses the type of lawsuit one can potentially file.HIPAA, HIPPA violation, medical record privacy, hhs, OCR, health care reform