Health records, or medical records, contain information about a person’s previous medical treatments, their medical conditions, and medical history. While it is necessary for healthcare providers to keep meticulous records of this type of information, health records also contain very private information. The use and distribution of health records are subject to strict regulation under medical record privacy laws.
Before most record-keeping moved to computers and other electronic devices, medical institutions maintained medical data on paper records. This was safer from a privacy perspective because it was hard to steal the records and the data they contained physically. Currently, information is stored almost exclusively in electronic databases. Hackers can access these digital records unless they are expertly protected.
A person’s health records may be consulted or required in various circumstances. For instance, an employer can request health information from an employee to justify the employee’s leave of absence for a medical reason. In a personal injury context, health records may be needed in cases where the victim has a pre-existing medical condition related to their injuries in connection with a current claim.
How Are Health Records Protected?
The federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a law requiring national standards to protect a patient’s health information from disclosure without the patient’s knowledge and consent.
The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to satisfy the HIPAA mandate. The people and organizations subject to the Privacy Rule and considered “covered entities” who must comply with it are as follows:
- Healthcare Providers: Every healthcare provider that transmits health records electronically in connection with the following transactions must comply:
- Insurance claims;
- Requests for Information about eligibility for benefits;
- Requests for authorization of referrals;
- Other transactions subject to HHS standards under the HIPAA Transactions Rule.
Health plans are also subject to the Privacy Rule, and they include the following:
- Insurance companies that provide health, dental, vision, and prescription drug insurance plans;
- Health maintenance organizations (HMOs);
- Medicare, Medicaid, Medicare+Choice, and insurance companies that provide Medicare supplement policies;
- Insurance companies that provide long-term care insurance;
- Group health plans sponsored by employers;
- Government- and church-sponsored health plans;
- Multi-employer health plans.
One type of entity exempted from compliance with the rule is a group health plan with fewer than 50 participants administered solely by an employer that sets up and maintains the plan.
Healthcare clearinghouses, which are businesses that process information they receive from another entity, are also covered entities. Usually, clearinghouses provide processing services to health plans or healthcare providers as business associates.
A person or organization that uses or discloses health information to perform a business function, such as processing insurance claims, data analysis, or billing, is also a covered entity that must protect the privacy of patient health information.
What Is a Health Record Privacy Dispute?
Subject to certain exceptions, a person’s health records are private and cannot be released without the person’s permission. For example, a hospital or healthcare institution cannot sell or disclose private medical records without the patient’s knowledge and consent. Access to medical records is very strictly controlled. This is especially true if they are going to be used in a personal injury lawsuit.
One exception may be where the patient’s identifying information is not revealed, i.e., blacked out, so the patient cannot be identified. Some kinds of uses of this type of information are allowed. For example, it might be used for research or public health purposes. However, on the whole, health records cannot be accessed without the patient’s permission.
If an entity covered by HIPAA and the Privacy Rule were to violate the rule and disclose a person’s private, protected medical information, the person might be able to sue for damage suffered under state laws. Or, they could file a complaint with the federal government.
What Are Some Legal Remedies in a Health Record Privacy Dispute?
There is no private cause of action in HIPAA, so a patient cannot sue a covered entity for a HIPAA violation per se. Even if a healthcare provider has violated HIPAA rules, and the violation was the direct cause of harm to the patient, the patient may not sue for damages in a civil lawsuit, at least not for violating the HIPAA Privacy Rule.
While HIPAA does not authorize private lawsuits for HIPAA violations, in some states, patients can take legal action against healthcare providers or other covered entities and win damages for violations of state laws.
In some states, it is possible to file a lawsuit against a HIPAA-covered entity on a theory of negligence or breach of an implied contract. Of course, to succeed with such a case, the person would have to prove that the violation caused them some economic loss that should be compensated with monetary damages.
Filing a lawsuit against a covered entity can be expensive, and there is no guarantee of success. So it would be necessary to prove a compensable loss. An alternative course of action might lead to the same end without the expense and risk of a lawsuit.
Can I File a Complaint with the Government for a HIPAA Violation?
If a patient thinks that the HIPAA Privacy Rule has been violated in the handling of their medical records, they can file a complaint with the federal Department of Health and Human Services’ Office for Civil Rights (OCR). Complaints are investigated in most cases. The OCR will take action against the covered entity if a complaint is proven to be valid and it is established that the HIPAA Privacy Rule has been violated.
A person who files a complaint with the OCR must identify themselves and provide contact information. A person must file a complaint with the OCR before they take any legal action, e.g., filing a lawsuit against the covered entity under state laws. Complaints to the OCR must be submitted within 180 days of the day when a patient discovers the violation, although, in some limited situations, an extension might be granted.
Complaints can also be filed with the attorney general of the state where a person lives. The state attorneys general can also investigate cases against entities covered by the HIPAA Privacy Rule for violations.
The actions that an attorney general would take against a covered entity accused of a violation depend on several factors, including the nature of the violation, the seriousness of the violation, the number of people affected, and whether the entity has violated the Privacy Rule repeatedly.
Do I Need a Lawyer for Help with a HIPAA Violation?
Health records can sometimes be a vital aspect of many personal injury claims. You may need to hire an inusrance lawyer if you need assistance with any potential violation of your privacy rights regarding health records.
Your attorney can investigate the situation to determine whether a violation may have occurred. Your lawyer can prepare a complaint for the OCR or a lawsuit if the facts warrant that. Also, your lawyer will be able to provide you with valuable legal representation throughout the litigation. Your attorney can review your situation and advise you on the best course of action to take.