HIPAA violations: When can you sue?

Q.  I just learned that the manager of my doctor’s office told my friend about my recent visit to the office.  I thought that my private health information was supposed to be kept confidential under federal law.  Now my friends are talking about it and I am humiliated. Can I sue the doctor or his office manager? Is there anything else I can do?

A. We get this question frequently. The federal law you are referring to is the privacy standards contained in the Health Insurance Portability and Accountability Act, or HIPAA, and the privacy rules published pursuant to that law. HIPAA rules are intended to protect the privacy of personal health information held by covered entities such as your physician’s office. It gives patients a wide array of rights with respect to the information, while permitting disclosure under certain specified circumstances. Unless the disclosure to your friend was permitted under the privacy rules, such as disclosures to another healthcare provider for purposes of treatment, or disclosures for purposes of payment or operations of the provider, or any of the other permitted disclosures under the rules, a disclosure by the office manager to your friend would not be permitted without your consent or authorization. Violations of HIPAA privacy rules carry significant penalties, including, civil money penalties, criminal fines and prison time.

What most people don’t get about HIPAA is that, as extensive as the statute is, and as serious as its potential penalties are, Congress, in its infinite wisdom, chose not to include a private right of action. That means that private individuals do not have the right to sue others specifically for violating HIPAA.  It’s like giving us the right to sue somebody for speeding. So, what happens when someone is injured due to an accident caused by excessive speed? In that case, there will be no shortage of personal injury attorneys willing to take that case. Why? The answer is easy, the likelihood of significant damages resulting from the injuries caused by the accident.

Now to your HIPPA case: You will not be able to bring a lawsuit to enforce HIPAA privacy standards against your physician or his office manager. However, you may have other options. For example, if you can show some kind of damage as a result of the negligent disclosure of your health information, then it’s possible to proceed on that basis. Alternatively, there may be other laws available upon which you can seek a remedy. For instance, if you receive healthcare benefits from your employer and your insurance company was responsible for making an improper disclosure of your health information, you may have a remedy under ERISA.

Suffice it to say that your available remedies depend upon other factors involved in the improper disclosure. However, there are things you can do under HIPAA to bring attention to possible adequate privacy protections at your doctor’s office. For example, you can file a complaint with the HHS Office of Civil Rights (OCR). The complaint must be filed in writing, either by mail or electronically, within 180 days of when you learned of the violation. The complaint must name the covered entity and describe the violation. The government will then contact the covered entity who will then be required to submit information. The OCR may begin an investigation or take other actions it deems appropriate. If the OCR determines that a serious violation has occurred, then it may impose an appropriate penalty.

If you believe that your right to privacy was violated, contact legal counsel to discuss it. You may be entitled to a remedy, not because the HIPAA rules were violated, but because you may have suffered damages as a result.