What Constitutes a HIPAA Violation?
There are many basic actions that can trigger these violations. While most people are focused on the issue of the provider itself disclosing private health information, there are also many situations where the provider themselves could be in violation of the HIPAA regulations. For example, if an employee of a provider searches for a celebrity’s medical information without any reason , that may be a violation of the regulation. Some of the most common violations include:
• Allowing visitors access to files or computer systems without supervision.
• Posting pictures on social media without patient permission.
• Improper disposal of records.
• Not properly encrypting data.
• Using features on the provider’s website to gather information without telling patients the information may be shared with third parties.
• Not allowing patients access to their own health records.
• Employees not being trained on security policies.
• Using personal email addresses to send or receive ePHI (electronic protected health information).
These issues underscore the need for a provider to have adequate security measures in place to protect the privacy and confidentiality of consumers. The basic principle of HIPAA, or the Health Insurance Portability and Accountability Act, is that the privacy and confidentiality of consumers’ health information is of primary concern. The covered entity, or provider, must then protect that information even above and beyond the basic standards of care.
Laws You Can Use to Sue a Company
To successfully sue a company for a HIPAA violation, you will need to prove that they were not compliant with the applicable HIPAA regulations. It is important to note that this may need to be proven in more than just one way—as we discussed in the previous section, there are several HIPAA violations that can fall under a number of different categories. For instance, if your protected health information (PHI) was accessed by someone who did not have permission to access it, you may also be able to prove a violation of the "Privacy" and "Security" Rules. In other words, the company that compromised your PHI may be guilty of two violations of the HIPAA laws.
Based on this, it is sufficient to say that for a company to be guilty of a violation, that it must be in violation of at least one of the HIPAA Rules. This will usually suffice as the legal ground necessary for a HIPAA violation lawsuit. However, something you need to take into account is who it was that had access to your PHI. If an employee accesses your information inappropriately, you may have a legal right to sue the company, but not the employee. Therefore, you may need to prove that the company was at fault for the conduct of its employee.
These infractions can result in a variety of penalties. Sometimes these penalties will be civil in nature, where you are awarded things like monetary damages or an injunction preventing the company in question from repeating the behavior. Other times, these issues can be criminal in nature, meaning that the company could be fined or, in some situations, certain individuals may have to serve time in prison.
The most important thing to remember, however, is that regardless of the legal grounds of your specific case, it is vital that you work with an experienced lawyer who can help you build your case and fight for your right to protection of your privacy. A knowledgeable attorney with extensive experience in HIPAA litigation and related lawsuits will be able to explain the relevant options to you and help you pursue a favorable outcome. Seeking legal counsel will also allow you to better understand the legal process and the complexities involved in these types of cases.
How to File a Complaint with the OCR
Filing a Complaint with the OCR is handled through standard complaint forms, available on the website of the U.S. Department of Health & Human Services ("HHS"). The forms are used for the reporting of violations of most of the provisions of HIPAA as enforced by the OCR. The HIPAA "enforcement" provisions concerned with security, privacy, and breach notification are found in two areas: Title II, 42 U.S.C. § 1320d-6 through 1320d-8 (i.e., the "Administrative Simplification" provisions of HIPAA, found within Subchapter XI of Chapter 7 of Title 42), and Title XX (§§17921 – 17937) of the Health Information Technology for Economic and Clinical Health Act ("HITECH"). A complaint can be filed against any "covered entity", as that term is defined in the HIPAA regulations. As noted earlier, the definition of "health care provider" is broad, meaning, for purposes of filing a complaint for a violation of HIPAA, under the administrative simplification provisions of HIPAA, any individual or institution, group practice, or other entity that furnishes, bills for, or is paid for health care in the normal course of business. The person injured as the result of the HIPAA violation need not himself have been treated by the health care provider (for example, another family member can file a complaint, alleging a privacy or security violation of their protected health information, if it was disclosed inappropriately to a third person).
There is no time limit on filing a complaint with the HHS OCR. However, there are time limits on the HITECH changes to HIPAA (including breaches of unprotected health information that do not meet the requirement of a breach of security, as that is defined in the HITECH legislation). The complaint must be filed within 180 days from the date the complainant first learns of the alleged breach of their protected health information.
The complaint must include how the complainant knows their protected health information has been disclosed inappropriately and is being used inappropriately. A complaint can be filed online for ease in making the allegations. Alternatively, an individual may print out the complaint form and file it via regular mail or fax. Information regarding the complaint should also include the date of the violation, when the complainant became aware of it, and what was done (or inaction of the provider) to correct the improper disclosure.
The HHS is required to have a formal process for resolving complaints, which it does. The process includes investigating the complaint and making findings. Corrective actions may be required. The investigations can include inquiries sent to third parties (such as contacting the provider the complainant alleges has violated HIPAA). The timeframe for resolution for complaints filed against covered entities or business associates must be completed within 180 days.
Can I Bring a Lawsuit for Damages?
Often a civil suit for damages will not be at the forefront of your mind after discovering a HIPAA Privacy Rule violation. You will be understandably preoccupied with understanding whether and how your protected health information was used or disclosed, and what steps are necessary to safeguard that information immediately. You also will most likely already have made good decisions and taken prompt action in terms of reporting the Privacy Rule violation, protecting your protected health information, and working toward a resolution.
However, a civil suit for damages arising from a HIPAA Privacy Rule violation does remain an option if you should so choose.
When you report a possible HIPAA Privacy Rule violation and make a good faith attempt to cooperate with the investigation that follows , you have a right under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to have the investigation performed by the Office for Civil Rights of the U.S. Department of Health and Human Services (OCR)—the agency that enforces HIPAA. This is often the correct course of action.
OCR will investigate the reported HIPAA Privacy Rule violation and then take any appropriate enforcement action necessary under federal law. A civil lawsuit for damages under state law will not necessarily have a better chance of success. Finding a state law that provides for a civil remedy for a HIPAA violation may depend on your discovery of a fact—the violation—that has not yet been uncovered during the federal investigation. In addition, the HIPAA Privacy Rule is currently being amended to specify the HIPAA Privacy Rule violations that give rise to a private right of action under state law.
There also are challenges to bringing a civil lawsuit for damages in state court based on HIPAA Privacy Rule violations. The confidentiality and privacy provisions of HIPAA expressly preempt conflicting state laws except where such state laws provide more stringent measures for privacy protection than are provided by HIPAA. This would not come into play if a state law provides for a civil remedy for a HIPAA Privacy Rule violation. However, it is what you would be up against in court if there were indeed ended up being a federal lawsuit brought under HIPAA.
Liability for Violating HIPAA
A violation of HIPAA could result in either civil or criminal penalties. The penalties are based on the severity of the violation, the degree of culpability of the party responsible for the violation, and the extent to which the violation was intentional or due to reasonable cause, and not to willful neglect.
The civil monetary penalties range from $100 to $50,000 per violation, capped at $1.5 million in one year. There is no criminal liability for violations resulting from reasonable cause. Penalties for criminal violations can range from a maximum of $50,000 per violation and up to six months imprisonment, to a maximum of $250,000 per violation and up to ten years imprisonment.
Aside from these types of penalties, a HIPAA breach itself can result in extensive reputational damage to the organization, loss of business, loss of the trust of its clients and patients, and loss of valuable trade secrets, such as patient records.
These sobering realities are important to bear in mind, whether for purposes of determining your IT provider’s compliance with HIPAA, or to find out your legal rights in case of a breach of your privacy.
Consult with a Lawyer
Whether or not to pursue legal action is a very important decision and one that should be made with the guidance of a legal expert. Federal laws such as HIPAA are unique and special, so you shouldn’t jump into any legal situation blindly because you think you might be entitled to compensation. The rules governing HIPAA are extremely strict and as a general rule, the violation must have been out of your control.
In order to be entitled to damages, there are several questions you should ask yourself:
If you believe you have been harmed due to a violation, it’s time to do some serious evaluation on your case . You should speak with an attorney as soon as possible. Because the law governing HIPAA violations is so specific, you’ll want to be certain that the person you’re consulting with has experience handling cases similar to yours and that they’re familiar with the HIPAA Privacy Rule, the Olympus Optical case, as well as HIPAA Interim Final Rules. You can find a wealth of information on HIPAA privacy rights on the U.S. Department of Health and Human Services website, but nothing will replace the need to consult with a professional.