HIPAA and Protecting Privacy of Your Medical Records

The Health Insurance Portability and Accountability Act protects private health information (PHI) and medical records from being used or disclosed improperly according to HIPAA privacy rules. Part of the federal HIPAA law is the Privacy Rule. The Privacy Rule regulates when a patient’s protected health information may be disclosed or used by health providers and health plans.

If you have concerns about your health information, contact a health law attorney for legal advice.

Health Care Information and Patient Privacy

Medical records and protected health information contain detailed and highly sensitive information about reports of confidential treatment sessions, health records, mental health information, as well as patient names, addresses, Social Security numbers, and other personal information.

Health care privacy violations vary — from viewing a celebrity patient’s chart or taking smartphone photos to a hacker breaching a hospital’s private servers. Invasions of health information privacy are not isolated incidents; in fact, they’re on the rise.

According to its 2017 federal report, complaints filed with the HHS Office of Civil Rights (OCR) rose about five percent per year until 2012. Privacy complaints regarding patients’ rights continue to rise.

Assert Your Rights to Health Care

Health laws are complex. Use the Super Lawyers directory to find a health care lawyer near you who can protect your rights and access to the care you need.

Find a lawyer today

What Is Protected Health Information?

All individually identifiable health information held by health care providers, pharmacies, or other covered entities is protected health information. This includes any information or health data that identifies an individual or for which there is a reasonable basis to believe it can be used to identify an individual. Protected health information also includes electronic PHI.

Protected information includes demographic data related to:

• The individual’s past, present, or future mental or physical health condition
• Providing health care services to the individual
• Past, present, or future payment for their health care

Individually identifiable personal health information includes many common identifiers, such as name, address, patient records, birth date, and Social Security number.

There are no restrictions on the use or disclosure of health information that has been de-identified. To de-identify health information, individually identifiable information must be removed so that it is no longer possible to identify the individual.

Privacy Protections Under HIPAA

Such invasions of privacy are in violation of HIPAA, the Health Insurance Portability and Accountability Act of 1996, which is enforced by HHS’ Office for Civil Rights (OCR). Safeguards are in place, and medical information privacy violations can result in both civil and criminal penalties, including fines up to $250,000 and 10 years in prison. HIPAA settlements can sometimes amount to millions of dollars.

However, HIPAA does not provide for a private right to sue based on its violation of a HIPAA privacy rule. Rather, you can file a complaint with your health care professional, covered entities, health insurance, or with HHS. You must file a HIPAA Privacy Complaint within 180 days of the circumstances giving rise to the complaint. The OCR will investigate and let you know their conclusions and what actions have been taken.

OCR can seek voluntary corrective action or issue a formal finding of a violation of personal health information. They may impose civil monetary penalties as part of the negotiated resolution, and these can, as noted, run into the millions of dollars. However, monetary penalties go to HHS, not to any injured individual.

Your attorney may be able to bring a civil suit for violation of state medical records disclosure law or under your state laws for invasion of privacy. In most states, personal medical records are individual rights protected by the right to privacy. However, for this type of claim, you must show documented and provable damages. You must demonstrate how you suffered harm from the disclosure.

What Are Permissible Uses and Disclosures of Protected Health Information?

Health plans and providers can use or disclose an individual’s protected health information in two situations:

• When authorized in writing by the individual (or the individual’s agent or parent)
• As permitted by the Privacy Rule

Under HIPAA regulations, health plans, insurance companies, and health providers can use and disclose PHI, without the individual’s written authorization, only in the following situations:

• In communication with the individual
• Treatment, payment, medical information, and health care operations
• Uses or disclosure where there is an opportunity for the individual to agree or object to the disclosure. For example, notifying family members of a health condition
• Incident to a permitted use if the information was limited to the minimum necessary
• Public interest and benefit activities, typically required by law
• Limited data set, meaning removing direct identifiers of the individual — and their relatives — for the purposes of research, public health, or health care operations

Obtaining Written Authorization To Use Health Information

If a health plan or provider wants to use or disclose PHI for any other purpose, it must obtain the individual’s authorization.

A plan or provider cannot make treatment conditional on obtaining the right of access. Authorizations must be in plain language and include specific information about the information to be disclosed for HIPAA compliance. It must also describe when it expires and provide the right to revoke the authorization in writing.

Obligations for Providers and Plans

When using or disclosing PHI, providers and plans must limit their use to only the minimum necessary. This means using only the minimum amount of information necessary to accomplish the intended purpose. Providers and plans have policies and procedures to limit the use and disclosure to the minimum necessary.

Entities must provide patients with notice of their patient privacy practices, which is usually provided at or before the first visit. Entities must make a good-faith effort to obtain a written patient authorization of the notice of privacy practices.

The notice must also make the patient aware that they can report any violations to the U.S. Department of Health and Human Services (HHS). HHS can levy fines and criminal penalties for HIPAA violations.

Find Legal Help

HIPAA privacy and security rules face continuing challenges as healthcare technology changes. For more information on this area of law, reach out to a health care lawyer for legal advice.