Historic Texas Senate Bill Filed to Abolish Death Penalty in Texas
Federal Sunshine Act/Open Payments Program
Legal Recourse for HIPAA Violations
The Health Insurance Portability and Accountability Act (HIPAA) is a set of complex federal rules and regulations that govern how medical institutions and their business associates treat your private health information, known as "PHI." Penalties for HIPAA violations can be substantial, ranging from fines to criminal prosecution and imprisonment.
Penalties for Violations
Claims of HIPAA violations are investigated by the Office of Civil Rights (OCR), a division of the U.S. Department of Labor. The two most important HIPAA sections addressing violations are Federal Public Law Sections 104-191 and 1177.
Under HIPAA Law Section 104-191, "General Penalty for Failure to Comply with Requirements and Standards," the U.S. Department of Labor can impose fines beginning at $100 on an individual for each day the violation continues, up to a maximum of $25,000 per year.
Under HIPAA Law Section 1177, "Wrongful Disclosure of Individually Identifiable Health Information," the U.S. Department of Labor can impose fines beginning at $50,000 and/or up to a year in jail, all the way up to a fine of $250,000 and/or up to ten years in jail for an individual. Under HIPAA rules, an "individual" can be a medical entity, institution, or an executive of either.
HIPAA applies to the following four medical entities:
Health plan organizations
Health plans include HMOs, PPOs, Medicaid, Medicare, and other individuals or medical groups that pay the cost of medical care for their insured.
Health care clearinghouses
Health care clearinghouses include individuals or companies which are paid to process individuals' personal health information (PHI). This includes billing service companies, health information systems, transaction facilitators, and other entities that handle PHI.
Health care providers
Health care providers include any person or organization that charges patients for providing treatment. This includes medical doctors, osteopathic doctors, dentists, chiropractors, nurses, lab technicians, and medical administrators supporting these providers.
Business associates are extensions of the previous three groups. Examples of business associates are CPAs whose accounting services include a review of PHI, attorneys whose legal services include access to PHI, and pharmacists with similar access to PHI.
Why We Need HIPAA Laws
HIPAA exists for two main reasons, to ensure you maintain health insurance when changing jobs, and to protect the privacy of your personal health information. Let's discuss these protections, known as Title I and Title II.
Title one ensures that if you change jobs, you can maintain your health insurance without being penalized.
In the past, people with health problems were afraid if they left their jobs or were fired, they wouldn't be able to get health insurance with their new employer, or if they were able to get insurance, their pre-existing condition would be excluded.
This meant if you started your new job with a pre-existing injury or illness, your new HMO or PPO could exclude coverage for that prior medical condition. Even if you were to find another health insurance company to cover your pre-existing condition, the premiums would be extremely high.
Today, health insurance companies cannot refuse to provide medical coverage based on a pre-existing condition. Nor can they charge higher premiums based on your condition.
Title two protects your personal health information from being released to third parties without your express consent.
HIPAA's "Privacy Rule" covers a person's private health information, which includes medical bills, claim information, prescriptions, lab results, medical opinions, and all other protected forms of PHI. Under this section, your PHI cannot be distributed without your written authorization.
It's important to know the difference between patient consent and patient authorization. Consent generally means giving permission to have a medical procedure performed, or for medical information to be shared with doctors during treatment. Authorization generally means giving permission to have one's PHI distributed to third parties, other than the original medical facility providing treatment.
To be a legitimate authorization, there must be a written document, signed by the patient, giving the named medical facility permission to use specific PHI for matters other than medical treatment, payment, or surgeries. The authorization applies when a patient's PHI will be disclosed to a third party, such as an insurance company, billing company, or even another doctor.
The patient authorization must include a description of the specific PHI to be disclosed, the person or company to whom the PHI will be sent, an expiration date for the authorization, and the purpose of the disclosure. Disclosure of any portion of the patient's PHI without authorization is a potential violation of HIPAA laws.
Legal Recourse for HIPAA Rights Violations
Contrary to what many people believe, you cannot sue a medical entity for violating your HIPAA rights. Your only recourse against a HIPAA violation is to file a complaint with the Department of Labor's Office of Civil Rights, after which an investigator will investigate your allegations and determine if a HIPAA violation took place. If so, the violator may be fined or subject to criminal prosecution.
To report a HIPAA violation, go to this webpage. There you can download the form to file your complaint by written mail, email, or via fax. Provide the name(s) of the medical entity that violated your HIPAA rights, and write a brief explanation of the facts surrounding the violation, including the evidence you having proving the violation occurred.
Private Legal Remedies
If the violation resulted in damages, meaning you suffered some kind of verifiable financial loss, you may have a civil claim against the individual who violated your HIPAA rights.
In this instance, Jane could sue her doctor for the damages caused by his HIPAA violation. She'd likely have the basis of a "tortious interference with contract" case. She'd need to prove that the withdrawal of the employment offer was directly related to the disclosure of her medical records. Jane's damages would be the loss of income and benefits she would have been entitled to if she'd been hired.
Further, if after the OCR investigated her complaint, they found the doctor to have violated HIPAA laws, Jane could use that finding as strong evidence in the trial. Additionally, Jane could contact the State Medical Board and file a complaint of unethical practice.
If an unauthorized release of your PHI resulted in financial damages, you should consult an attorney with extensive experience in HIPAA law. In some cases, depending on your damages, an attorney may accept your case on a contingency fee basis, meaning you won't have to pay any money until, and unless the attorney settles your case or wins it at trial.
Examples of HIPAA Violations
HIPAA, the Health Insurance Portability and Accountability Act of 1996, was passed to protect an employee's health insurance coverage when they lose or change jobs and it ensures privacy and confidentiality of identifiable health information.
10 Common HIPAA Violations
Failure to adhere to the authorization expiration date - Patients can set a date when their authorization expires. A violation would be releasing confidential records after that date.
Failure to promptly release information to patients - According to HIPAA, a patient has the right to receive electronic copies of medical records on demand.
Improper disposal of patient records - Shredding is necessary before disposing of patient’s record.
Insider snooping - This refers to family members or co-workers looking into a person’s medical records without authorization. This can be avoided with password protection, tracking systems and clearance levels.
Missing patient signature - Any HIPAA forms without the patient’s signature is invalid, so releasing information would be a violation.
Releasing information to an undesignated party - Only the exact person listed on the authorization form may receive patient information.
Releasing unauthorized health information - This refers to releasing the wrong document that has not been approved for release. A patient has the right to release only parts of their medical record.
Releasing wrong patient's information - Through a careless mistake, someone releases information to the wrong patient. This sometimes happens when two patients have the same or similar name.
Right to revoke clause - Any forms a patient signs need to have a Right to Revoke clause or the form is invalid. Therefore, any information released to a third party would be in violation of HIPAA regulations.
Unprotected storage of private health information - A good example of this is a laptop that is stolen. Private information stored electronically needs to be stored on a secure device. This applies to a laptop, thumbnail drive, or any other mobile device.
Scenarios that Violate HIPAA
Telling friends or relatives about patients in the hospital
Discussing private health information in public areas of the hospital, including the lobby of a hospital, an elevator or the cafeteria
Discussing private health information over the phone in a public area
Not logging off your computer or a computer system that contains private health information
HIPAA regulations for "need to know" include: The security guard in a healthcare institution needs to know the name and room number of patients to guide visitors. This is allowed; but, any other information, such as diagnosis or treatment, is not to be disclosed.
HIPAA regulations for "need to know" include: A nurse needs access to private health information for the patients in his/her unit but not for any patients that are not in that unit.
HIPAA regulations for "minimum necessary" include: A health insurance company will need information about the number of visits the customer had; but, isn’t allowed to view the entire patient history.
Allowing members of the media to interview a patient in a substance abuse facility
Including private health information in an email sent over the Internet
Releasing information about minors without the consent of a parent or guardian
HIPAA regulates the use, transfer, and disclosure of identifiable health information. With these examples of common HIPAA violations, you can probably better understand HIPAA and the types of behaviors it prohibits.
Change of Phone Number
Please note that our phone number has changed to 1-877-204-2963.