Appellate court rules on whether HIPAA trumps state privacy laws

HIPAAWhen it comes to HIPAA, even dead people must be afforded privacy, according to a recent appellate court decision.

The 11th U.S. Circuit Court of Appeals ruled earlier this month in Opis Management Resources LLC v. Secretary Florida Agency for Health Care Administration, that federal rules supersede a Florida statute governing access to health records.

The case involved a group of nursing home operators that argued that Florida Statue § 400.145 was preempted by HIPAA.  That statute allows healthcare organizations to release deceased residents’ medical records in nursing homes to specified individuals. At issue was whether that law is consistent with HIPAA, as well as determining just who those “specified individuals” are.

The case grew out of requests from spouses and attorneys for medical records of deceased nursing home residents. The facilities refused to release the records because those requesting them were not “personal representatives” under the relevant provisions of HIPAA.

The trial court granted summary judgment in favor of the nursing facilities finding that the Florida law provided nursing home residents less protection than required under HIPAA.

The appellate court noted: “Florida statute stands as an obstacle to the accomplishment and execution of the full purposes and objectives of HIPAA in keeping an individual’s protected health information strictly confidential.”

Click here to read the circuit court ruling.

HIPAA violations: When can you sue?

Q.  I just learned that the manager of my doctor’s office told my friend about my recent visit to the office.  I thought that my private health information was supposed to be kept confidential under federal law.  Now my friends are talking about it and I am humiliated. Can I sue the doctor or his office manager? Is there anything else I can do?

A. We get this question frequently. The federal law you are referring to is the privacy standards contained in the Health Insurance Portability and Accountability Act, or HIPAA, and the privacy rules published pursuant to that law. HIPAA rules are intended to protect the privacy of personal health information held by covered entities such as your physician’s office. It gives patients a wide array of rights with respect to the information, while permitting disclosure under certain specified circumstances. Unless the disclosure to your friend was permitted under the privacy rules, such as disclosures to another healthcare provider for purposes of treatment, or disclosures for purposes of payment or operations of the provider, or any of the other permitted disclosures under the rules, a disclosure by the office manager to your friend would not be permitted without your consent or authorization. Violations of HIPAA privacy rules carry significant penalties, including, civil money penalties, criminal fines and prison time.

What most people don’t get about HIPAA is that, as extensive as the statute is, and as serious as its potential penalties are, Congress, in its infinite wisdom, chose not to include a private right of action. That means that private individuals do not have the right to sue others specifically for violating HIPAA.  It’s like giving us the right to sue somebody for speeding. So, what happens when someone is injured due to an accident caused by excessive speed? In that case, there will be no shortage of personal injury attorneys willing to take that case. Why? The answer is easy, the likelihood of significant damages resulting from the injuries caused by the accident.

Now to your HIPPA case: You will not be able to bring a lawsuit to enforce HIPAA privacy standards against your physician or his office manager. However, you may have other options. For example, if you can show some kind of damage as a result of the negligent disclosure of your health information, then it’s possible to proceed on that basis. Alternatively, there may be other laws available upon which you can seek a remedy. For instance, if you receive healthcare benefits from your employer and your insurance company was responsible for making an improper disclosure of your health information, you may have a remedy under ERISA.

Suffice it to say that your available remedies depend upon other factors involved in the improper disclosure. However, there are things you can do under HIPAA to bring attention to possible adequate privacy protections at your doctor’s office. For example, you can file a complaint with the HHS Office of Civil Rights (OCR). The complaint must be filed in writing, either by mail or electronically, within 180 days of when you learned of the violation. The complaint must name the covered entity and describe the violation. The government will then contact the covered entity who will then be required to submit information. The OCR may begin an investigation or take other actions it deems appropriate. If the OCR determines that a serious violation has occurred, then it may impose an appropriate penalty.

If you believe that your right to privacy was violated, contact legal counsel to discuss it. You may be entitled to a remedy, not because the HIPAA rules were violated, but because you may have suffered damages as a result.

OCR Releases Final HIPAA Rules

The Office for Civil Rights (OCR) — the folks who brought us the Health Insurance Portability and Accountability Act of 1996 (HIPAA) –has released new and far-reaching changes to the HIPAA privacy, security and enforcement rules.

The new, final HIPAA rules are, according to an HHS press release, “designed to increase flexibility for and decrease burden on regulated entities.”

The new rule will be published in the Jan. 25 Federal Register and will implement statutory requirements that were enacted in the HITECH Act as part of the American Recovery and Reinvestment Act of 2009.

Among other things, the rule clarifies when breaches of unsecured health information must be reported to HHS. It eliminates the prior breach notification rule’s “harm standard” and replaces it with “a more objective standard.”

Although the new rule is effective March 26, 2013, covered entities and business associates have until Sept. 23, 2013 to comply with its provisions.

Click here to read the HHS press release.

Obama signs bill simplifying Medicare secondary payer compliance

Jan. 14, 2013 – On Jan. 10, President Obama signed into law the Strengthening Medicare and Repaying Taxpayers (SMART) Act passed by Congress in December.

The SMART Act is aimed at simplifying compliance with the Medicare Secondary Payer (MSP) Act. MSP has been around since the 1980s and made Medicare the secondary payer to personal injury insurance, health insurance, and workers’ compensation plans.

MSP required parties who have settled a liability case, such as a workers’ compensation or auto accident case settlement or judgment, to determine and repay the Medicare program for any conditional payments it made on behalf of a beneficiary in connection with the liability case. This has sometimes been difficult because getting the necessary information out of Medicare is challenging, making it hard to determine how much Medicare should be paid.

The SMART Act addressed this problem by requiring CMS to establish a website whereby individuals or insurance companies can access information on claims paid by Medicare. It also requires that Medicare provide conditional payment information within 65 days of a request. Medicare is also required to respond to individual disputes regarding Medicare’s conditional payments within 11 days and to establish regulations providing appellate rights regarding his determinations of conditional payments made.

The SMART Act also establishes a three-year statute of limitations on MSP actions by Medicare to recover claims.

Lawmakers push for redesign of Medicare cards

Jan. 2, 2013 – In an unusual display of unity, the U.S. House of Representatives passed a bill designed to protect the nation’s seniors from identity theft by eliminating Social Security numbers from the Medicare ID card.

This Social security number on a Medicare ID cardfollows a recent investigation that revealed a substantial number of Medicare beneficiaries are potential victims of identity theft. Medicare officials are not sold on the idea due to the high cost and the multiple agencies involved in the process of redesigning the ID cards and issuing new numbers.

Earlier this year, a report by the Department of Health and Human Services Inspector General found more than a quarter-million Medicare beneficiaries are potential victims of identity theft.

Click here to read more.

PIP law change to healthcare clinic licensure requirements take effect

Dec. 31, 2012 – Effective Jan. 1, 2013, one of the changes made as a result of the enactment of the new PIP law is the requirement that entities which previously were exempt from healthcare clinic licensure are now required to become licensed.

This change likely was directed specifically at those healthcare practices that are jointly owned by physicians and chiropractors. Although such entities are excluded from licensure under §400.9905(g), they are now required to be licensed as healthcare clinics if they intend to bill for and receive reimbursement for healthcare services under PIP insurance policies.

Those entities that are jointly owned by physicians and chiropractors and which are not currently licensed as healthcare clinics should seek licensure without delay.


Lee Lasris interviewed about DOJ guidelines dealing with the medical necessity of ICDs.

Sept. 26, 2012 – This past August, the U.S. Department of Justice sent guidelines to hospitals that dealt with the medical necessity of implantable cardioverter defibrillators, or ICDs.

The guidelines were released to help with the settlement of claims stemming out of the DOJ’s investigation on ICDs that were placed in Medicare beneficiaries between 2003 and 2010 at hospitals. Hundreds of hospitals stand to face False Claims Act penalties for improper use of ICDs as a result of the investigations, which as most hospitals going through fraud and abuse measures right now know can be a very costly process. Click here to read the full story.

SCOTUS healthcare ruling asserts rule of law over politics

June 29, 2012 – By Jodi Laurence and Karen Schapira

By upholding most provisions of the Affordable Care Act, the U.S. Supreme Court in its watershed ruling has asserted the rule of law over politics.

The court was asked to decide two issues: First, whether it was constitutional to mandate individuals to purchase health insurance or pay a penalty. And second, whether it was constitutional to require states to expand eligibility of the Medicaid program.

Whether you agree or disagree with Obamacare, it is indisputable that many will benefit from the individual mandate, while others will benefit from those states opting into the Medicaid expansion program.

Ensuring that all individuals purchase insurance coverage to defray the cost of insuring an unhealthy population is the premise behind the individual mandate requirement. That is because the law prohibits insurance companies from denying coverage based on pre-existing conditions or increasing premiums to a level that makes the purchase of a health insurance policy financially prohibitive.

Read More


Specializing in all areas of health law including fraud and abuse, bioethics, health care business transactions, HIPAA, compliance programs, pharmaceutical, managed care, clinical trials, medical staff issues, contracting and licensure issues.


(888) 491-1120