Understanding the HIPAA law
HIPAA is an abbreviation of “Health Insurance Portability and Accountability Act.” It was established in 1996 to improve efficiencies in the US health care system. The HIPAA law attempts to ensure strict confidentially and privacy of your medical information. Though Utah law allows you to access your medical records, under HIPAA, there are certain restrictions as to how you can access these records and who can access the records on your behalf.
Importance of Medical Records
It is important to know the value of your medical records. These records will be extremely useful for your lawyer, policy provider and your doctor. Most importantly, your doctors will need your past medical history and past medical records in order to most effectively treat you. But your medical records are confidential and cannot be accessed by anyone else unless they have your specific written permission. And this is core aspect of the HIPAA law. It is also referred to as the HIPAA privacy rule
HIPAA Privacy Rule
Under the HIPAA privacy rule, anyone such as your hospital/health care provider who has access to your medical records cannot share it with any third party person except with your mentioned surrogate. They can only share it with other people if it is a case of an emergency or it is an absolute necessity to share the details. Otherwise, they cannot be shared without your written consent. This makes sure that your medical records will never be shared for illegal practices and if they are, then the person disclosing them may be civilly punished.
Exceptions to HIPAA
The HIPPA Law has two parts.
• Part1 deals with insurance portability, which means that insurance coverage for employees will continue even when they changes jobs.
• Part2 focuses more on standardizing health care information, particularly e-exchange of such information and also looks minimizing health care fraud and abuse.
As afore-stated, the medical practitioner, lawyer as well as the policy providers are allowed to share the details in case of absolute emergencies or when it is a necessity or as required by law in cases of litigation or discovery process.
How does one define those emergencies and necessities?
Here is a list of emergencies and necessities defined by Utah Law. In case of these emergencies, one is compelled to share the available medical information. The emergencies and necessities are as follows:
• Life threatening situations
• Child abuse
• Court orders
• Gun shots
• Sexual abuse
If the medical records are disclosed for a reason which is different from the reasons mentioned above then the offending party may be charged a fine of $100, and upwards of $1,500.00 per violation. If the release of the records is intentional, the perpetrator could face criminal charges and face prison time.
The Other Side of HIPAA
The HIPAA law is quite complex and several doctors and health care providers are not exactly sure how this affects them. As a result, they may refrain from sharing critical medical information with your family or even with you in certain situations. The fact is, with your written permission, information can be shared with anyone you want. If you believe that it is necessary for others to have access to your medical information, you should inform your health care provider. HIPAA is intended to be for the benefit of the patient. It often plays a legal role in the personal injury context as medical records and its disclosures play a fundamental role.
How Do HIPAA Regulations Affect Judicial Proceedings?
HIPAA regulations are designed to keep healthcare organizations compliant, ensuring that sensitive data – such as patient PHI – stays secure. Should a healthcare data breach occur, covered entities or their business associates will be held accountable, and will likely need to make adjustments to their data security approach to prevent the same type of incident from happening again. However, there are often questions and concerns in how HIPAA regulations tie into certain judicial or administrative proceedings.
What does HIPAA say about searches and legal inquiries?
The HIPAA Privacy Rule states that there are several permitted uses and disclosures of PHI. This does not mean that covered entities are required to disclose PHI without an individual’s permission, but healthcare organizations are permitted to do so under certain circumstances. “Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make,” the Privacy Rule explains.
The six examples of permitted uses and disclosures are the following:
• To the Individual (unless required for access or accounting of disclosures)
• Treatment, Payment, and Health Care Operations
• Opportunity to Agree or Object
• Incident to an otherwise permitted use and disclosure
• Public Interest and Benefit Activities
• Limited Data Set for the purposes of research, public health or health care operations.
Under the public interest and benefit activities, the Privacy Rule dictates that there are “important uses made of health information outside of the healthcare context.” Moreover, a balance must be found between individual privacy and the interest of the public.
There are several examples that relate to disclosing PHI due to types of legal action:
• Required by law
• Judicial and administrative proceedings
• Law enforcement purposes
Covered entities and their business associates are permitted to disclose PHI as required by statute, regulation or court orders. “Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a protective order are provided,” according to the HHS website. For “law enforcement purposes” HIPAA regulations state that PHI can also be disclosed to help identify or locate a suspect, fugitive, material witness, or missing person. Law enforcement can also make requests for information if they are trying to learn more information about a victim – or suspected victim. Another important aspect to understand is that a covered entity can disclose sensitive information if it believes that PHI is evidence of a crime that took place on the premises. Even if the organization does not think that a crime took place on its property, HIPAA regulations state that PHI can disclose “when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.” Essentially, covered entities and business associates must use their own judgement when determining if it is an appropriate situation to release PHI without an individual’s knowledge. For example, if local law enforcement wants more information from a hospital about a former patient whom they believe is dangerous, it is up to the hospital to weigh the options of releasing the information.
What Can I Do After an Improper Disclosure of Medical Records?
Your medical records are considered confidential information under federal privacy rules established by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). But you may still become the victim of improper disclosure of medical records through a data security breach, the improper maintenance of records, or the unauthorized snooping of your paper-based patient file.
HIPAA and Medical Records
Health care providers, health insurance companies, and other entities involved in the administration of health care may not share personally identifiable medical information without your consent. It is important to note that this rule does not restrict the ability of doctors, nurses, and other providers to share the information needed to treat you. Medical records may include your medical history, family medical history, information about your lifestyle, past procedures, laboratory test results, prescribed medications, genetic testing results, and related information. HIPAA applies to information held or transmitted in any form or media, including electronic, paper and oral. Covered entities such as doctors and hospital administrators must obtain your written authorization in order to share such medical information with life insurance companies or other outside businesses.
How to Take Action After an Improper Disclosure of Medical Records
Consider taking the following two steps if you believe your private medical records have been improperly shared or exposed:
• Contact the person or entity responsible for the disclosure, ask them to retrieve the disclosed records, and request that whoever received them destroy their copies. The responsible party may be willing to help you in the event that an error has occurred.
• Contact HHS to describe the alleged incident and request an investigation. If HHS uncovers any HIPAA violations, the agency may warn or discipline the person responsible for the disclosure, or refer the matter to the Department of Justice for prosecution.
To file a complaint with HHS, fill out a “Health Information Privacy Complaint” (PDF) form and file it within 180 days of the alleged act. Make sure you send your complaint to the appropriate regional office, via mail or fax.
Breach of Privacy Lawsuits
The law of your state may provide other legal avenues for relief, such as the right to sue for invasion of privacy or breach of doctor-patient confidentiality, and receive damages as compensation for injuries suffered as a result of the disclosure of medical records. And even though HIPAA does not provide the right to sue in federal court, lawsuits filed in state courts have used HIPAA standards to establish liability.
Filing Complaints for HIPAA Violations
If HIPAA Rules are believed to have been violated, patients can file complaints with the federal government and in most cases complaints are investigated. Action may be taken against the covered entity if the compliant is substantiated and it is established that HIPAA Rules have been violated. The complaint should be filed with the Department of Health and Human Services’ Office for Civil Rights (OCR). While complaints can be filed anonymously, OCR will not investigate any complaints against a covered entity unless the complainant is named and contact information is provided. A complaint should be filed before legal action is taken against the covered entity under state laws. Complaints must be filed within 180 days of the discovery of the violation, although in limited cases, an extension may be granted. Complaints can also be filed with state attorneys general, who also have the authority to pursue cases against HIPAA-covered entities for HIPAA violations. The actions taken against the covered entity will depend on several factors, including the nature of the violation, the severity of the violation, the number of individuals impacted, and whether there have been repeat violations of HIPAA Rules. The penalties for HIPAA violations are detailed here, although many complaints are resolved through voluntary compliance, by issuing guidance, or if an organization agrees to take corrective action to resolve the HIPAA issues that led to the complaint. Complaints may also be referred to the Department of Justice to pursue cases if there has been a criminal violation of HIPAA Rules. Complaints about individuals can also be filed with professional boards such as the Board of Medicine and the Board of Nursing.
How to File a Lawsuit for a HIPAA Violation
If you have been informed that your protected health information has been exposed as a result of a healthcare data breach, or you believe your PHI has been stolen from a specific healthcare organization, you may be able to take legal action against the breached entity to recover damages for any harm or losses suffered as a result of the breach. The first step to take is to submit a complaint about the violation to the HHS’ Office for Civil Rights. This can be done in writing or via the OCR website. If filing a complaint in writing, you should use the official OCR complaint form and should keep a copy to provide to your legal representative. You will then need to contact an attorney to take legal action against a HIPAA covered entity. You can find attorneys through your state or local bar association. Try to find an attorney or law firm well versed in HIPAA regulations for the greatest chance of success and contact multiple law firms and speak with several attorneys before making your choice. There will no doubt be many other individuals who are in the same boat, some of whom may have already taken legal action. Joining an existing class action lawsuit is an option. The more individuals involved, the stronger the case is likely to be. Many class action lawsuits have been filed on behalf of data breach victims that have yet to experience harm due to the exposure or theft of their data. The plaintiffs claim for damages for future harm as a result of their data being stolen. However, without evidence of actual harm, the chances of success will be greatly reduced.
The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a series of regulatory standards that outline the lawful use and disclosure of protected health information (PHI). HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR). The OCR’s role in maintaining HIPAA compliance comes in the form of routine guidance on new issues affecting health care and in investigating common HIPAA violations. Through a series of interlocking regulatory rules, HIPAA compliance is a living culture that health care organizations must implement into their business in order to protect the privacy, security, and integrity of protected health information. Learn more about how to become HIPAA compliant with Compliancy Group’s software solutions.
Protected health information (PHI) is any demographic information that can be used to identify a patient or client of a HIPAA-beholden entity. Common examples of PHI include names, addresses, phone numbers, Social Security numbers, medical records, financial information, and full facial photos to name a few. PHI transmitted, stored, or accessed electronically also falls under HIPAA regulatory standards and is known as electronic protected health information, or ePHI. ePHI is regulated by the HIPAA Security Rule, which was an addendum to HIPAA regulation enacted to account for changes in medical technology.
Who needs to be HIPAA compliant?
HIPAA regulation identifies two types of organizations that must be HIPAA compliant.
• Covered Entities: A covered entity is defined by HIPAA regulation as any organization that collects, creates, or transmits PHI electronically. Health care organizations that are considered covered entities include health care providers, health care clearinghouses, and health insurance providers.
• Business Associates: A business associate is defined by HIPAA regulation as any organization that encounters PHI in any way over the course of work that it has been contracted to perform on behalf of a covered entity. There are many, many examples of business associates because of the wide scope of service providers that may handle, transmit, or process PHI. Common examples of business associates affected by HIPAA rules include: billing companies, practice management firms, third-party consultants, EHR platforms, MSPs, IT providers, faxing companies, shredding companies, physical storage providers, cloud storage providers, email hosting services, attorneys, accountants, and many more.
What is required for HIPAA Compliance?
HIPAA regulation outlines a set of national standards that all covered entities and business associates must address.
• Self-Audits – HIPAA requires covered entities and business associates to conduct annual audits of their organization to assess Administrative, Technical, and Physical gaps in compliance with HIPAA Privacy and Security standards. Under HIPAA, a Security Risk Assessment is not enough to be compliant–it only one essential audit that HIPAA-beholden entities are required to perform in order to maintain their compliance year-over-year.
• Remediation Plans – Once covered entities and business associates have identified their gaps in compliance through these self-audits, they must implement remediation plans to reverse compliance violations. These remediation plans must be fully documented and include calendar dates by which gaps will be remedied.
• Policies, Procedures, Employee Training – Covered entities and business associates must develop Policies and Procedures corresponding to HIPAA regulatory standards as outlined by the HIPAA Rules. These policies and procedures must be regularly updated to account for changes to the organization. Annual staff training on these Policies and Procedures is required, along with documented employee attestation stating that staff has read and understood each of the organization’s policies and procedures.
• Documentation – HIPAA-beholden organizations must document ALL efforts they take to become HIPAA compliant. This documentation is critical during a HIPAA investigation with HHS OCR to pass strict HIPAA audits.
• Business Associate Management – Covered entities and business associates alike must document all vendors with whom they share PHI in any way, and execute Business Associate Agreements to ensure PHI is handled securely and mitigate liability. BAAs must be reviewed annually to account for changes to the nature of organizational relationships with vendors. BAAs must be executed before ANY PHI can be shared.
• Incident Management – If a covered entity or business associate has a data breach, they must have a process to document the breach and notify patients that their data has been compromised in accordance with the HIPAA Breach Notification Rule.
When you need a HIPPA Attorney, please call Ascent Law LLC for your free consultation (801) 676-5506. We want to help you.
8833 S. Redwood Road, Suite C
West Jordan, Utah
84088 United States
Telephone: (801) 676-5506