Protecting the Privacy of Your Medical Records
What to do if a hospital or physician improperly discloses your medical info
on September 5, 2017
Updated on June 9, 2022
In February 2017, the medical records of hundreds of patients at South Fulton Mental Health Center, Atlanta, Georgia, were discovered in an open dumpster in front of the facility in East Point, Fulton County. The papers, protected health information, in open view for anyone to see, held detailed and highly sensitive psychiatric reports of confidential treatment sessions, health records, as well as patient names, addresses and Social Security numbers, any identifiable health information.
While the circumstances vary—from unauthorized nurses viewing a celebrity patient’s chart or taking smartphone photos to a hacker breaching a hospital’s private servers—such invasions of health information privacy are not isolated incidents. In fact, they’re on the rise. According to its 2017 federal report, complaints filed with the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) rose about 5 percent per year until 2012. The increase over the past three years: almost 22 percent. To be more specific, the number of information privacy related complaints went from 2,268 in 2003 to 17,661 in 2015.
Such invasions of privacy are in violation of HIPAA, the Health Insurance Portability and Accountability Act, which is enforced by HHS’ Office for Civil Rights (OCR). Safeguards are in place and medical information privacy violations can carry both civil and criminal penalties, including fines up to $250,000 and 10 years in prison. HIPAA settlements can sometimes amount to millions of dollars.
However, HIPAA does not provide for a private right to sue based on its violation of a HIPAA privacy rule. Rather, you can file a complaint with your health care provider, covered entities, health insurance, or with HHS. You must file a HIPAA Privacy Complaint within 180 days of the circumstances giving rise to the complaint. The OCR will investigate and let you know their conclusions and what actions have been taken.
If the investigation concludes there was a possible criminal violation, OCR will forward the matter to the U.S. Department of Justice. If there’s a determination that a non-criminal patient privacy violation occurred, the OCR will seek voluntary corrective action or will issue a formal finding of violation of personal health information. They may impose civil monetary penalties as part of the negotiated resolution, and these can, as noted, run into the millions of dollars. However, monetary penalties are paid to HHS, not to any injured individual.
Your attorney may be able to bring a civil suit for violation of Georgia’s state medical records disclosure law, or under Georgia’s invasion of privacy or negligence law. Personal medical records are individual rights protected by Georgia’s constitutional right to privacy. The challenge to successfully waging this type of claim is that you must show documented and provable damages—that is, specifically, quantifiably, how you were harmed by the disclosure. Examples of documented losses include medical care, health plans or counseling bills, credit protection or identity theft insurance, costs related to stolen identity, lost pay for time off, and other expenses that resulted directly from the breach to your privacy.
For more information on this area of law, see our overview of health care law.