The HIPAA Privacy Rule and You

Did You Think the HIPAA Privacy Requirements Would Protect Your Medical Records?

Think Again.

A key part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104–191, 110 Stat. 1936, enacted August 21, 1996 added significant protections for the privacy of Protected Health Information (PHI) and severe penalties for privacy violations. This might provide some comfort to you as your medical information available to others grows ever more extensive and intrusive, particularly under the Affordable Care Act (Obamacare), with its reliance on electronic health information records.
That is it might, if the violation were part of a very large disclosure of multiple patient records (see the last link in this post). The responsibility for pursuing violations rests with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). However, the case load of violations is so large that it appears, unless thinks there is evidence of widespread egregious violations possibly leading to large fines, it is unlikely that much will be done about an individual violation.
On the other hand, if you are an individual and learn that through careless handling in a provider’s office (known in HIPAA as a “covered entity”), your information was disclosed to a third party, not one of the many outside agencies to which disclosure is permitted. For example, by accident you might find out your medical records were mailed to another patient. 

Although under the law this is a clear violation, according to a spokesperson at the Office of Civil Rights (HHS), they get so many of this type of complaint that they rarely investigate any more. At most, if you go through the procedure to file a complaint, which can be done on line, OCR might send the covered entity a letter, amounting basically in this bloggers opinion to “shame on you— now go and sin no more!”

“According to the US Department of Health and Human Services Office for Civil Rights, between April 2003 and January 2013 they received 91,000 complaints of HIPAA violations, in which 22,000 led to enforcement actions of varying kinds (from settlements to fines) and 521 led to referrals to the US Dept of Justice (criminal actions).” That is 24% of reported violations led to enforcement actions, not including the 0.5% referred for criminal prosecution (no data on what actually happened to those 521 cases). It is difficult to believe the other 69,000 reports were all or even mostly frivolous or someone seeking revenge on a practitioner. Filing a complaint under HIPAA with the Federal Government is a serious step, one not to be undertaken lightly. 
While it is possible to file a complaint anonymously, OCR notes on the form that doing so will drastically hamper their ability to investigate. Further warnings are included such as the next two to impress upon the individual the seriousness of this step (Source: HEALTH INFORMATION PRIVACY COMPLAINT, Form Approved: OMB No. 0990-0269.
“Fraud and False Statements
Federal law, at 18 U.S.C. §1001, authorizes prosecution and penalties of fine or imprisonment for conviction of “whoever, in any matter within the jurisdiction of any department or agency of the United States knowingly and willfully falsifies, conceals or covers up by any trick, scheme, or device a material fact, or makes any false, fictitious or fraudulent statements or representations or makes or uses any false writing or document knowing the same to contain any false, fictitious, or fraudulent statement or entry.”
“OCR may disclose information, including medical records and other personal information, which it has gathered during the course of its investigation in order to comply with a request under the Freedom of Information Act (FOIA) and may refer your complaint to another appropriate agency.”
Here are the things that cause the most complaints from a report issued by HHS/OCRSeptember 2011:
  • “impermissible uses and disclosures of PHI
  • lack of safeguards of PHI
  • denial of individuals’ access to their PHI
  • uses or disclosures of more than the minimum necessary PHI
  • inability of individuals to file complaints with covered entities”
From the same report, “the most common types of covered entities that have been required to take corrective action, are:
  • private practices
  • general hospitals
  • outpatient facilities
  • health plans
  • pharmacies”
The reader will note the second item on the list, which makes this post relevant to the general theme of this blog.
The penalties for violations range from $100 for a single violation by an individual who innocently and unaware of the law disclosed protected health information (PHI) to as high as $1.5 million annual maximum for HIPAA violation due to willful neglect that is not corrected.
Check this site for some of the large hospitals, clinics and pharmacies recently sued for violations to see what it takes to get OCR’s attention. 
Given the reality of a successful complaint about an individual victim of an unauthorized disclosure of PHI, what is the best course? If you are concerned at all about the disclosure and how serious a threat it might be to your identity, and you are willing to accept the strictures on your complaint mentioned above (plus others outlined on the complaint form itself), then consider this. Like any crime that is committed, if not reported, it may happen again—to you or someone else.