Running afoul of HIPAA is an expensive mistake. HIPAA violations can cost healthcare organizations millions.
From 2003 to 2021, regulatory bodies have penalized HIPAA violators with fines totaling $135,298,482. The federal government imposed an average fine of $1,366,651 across all cases.
Typically, only the Department of Health and Human Service’s Office for Civil Rights can bring a HIPAA violation case against an organization. But, a new lawsuit may enable future patients with the cause of action to sue over violations directly.
Patients may be able to bring a case directly to the court system if the medical practitioner violates their constitutional rights.
A recent case attempts to fight a HIPAA violation directly. It alleges that the healthcare organization violated the plaintiff’s Fourteenth Amendment Rights.
What Is HIPAA?
HIPAA is a regulation designed to protect patients. It stands for the Health Insurance Portability and Accountability Act. HIPAA was enacted in 1996.
Since then, HIPAA has gone through some changes, clarifications, and updates. Generally speaking, HIPPA regulations make sure that a patient’s private medical information is only disclosed with the patient’s express authorization.
HIPAA regulations apply to medical practices, healthcare businesses, private and state health insurance providers, and healthcare clearinghouses. Any organization that handles a patient’s private medical information must abide by HIPAA.
In practice, HIPPA articulates procedural mandates. Medical practices must abide by HIPAA rules, security, privacy, transaction, and identification mandates. They also must report breaches and violations to meet regulation standards.
Medical organizations are legally responsible for complying with HIPAA regulations. If they do not, the federal government may impose fines or other disciplinary actions.
Can Patients Sue Over a HIPAA Violation?
Patients cannot bring a lawsuit directly against a medical practice to enforce HIPAA. However, if a patient believes his rights have been violated, he has a few options to get compensation.
Private Cause of Action
HIPPA does not empower patients with the means to sue a practice directly. A private cause of action is a finding that allows an individual to bring a civil lawsuit forward.
Specifically, a private cause of action is evidence that an institution or individual violated a law, regulation, or protection. It is also evidence that the violation caused harm.
Cause of Action and Enforcement
HIPAA prevents patients with cause to sue medical practices directly. However, they have a few options.
A patient can file a complaint with the Department of Health and Human Services’ Office for Civil Rights. The department can investigate. Then, the OCR can impose a fine, or it may choose to bring a civil suit on behalf of the patient.
Alternately, a patient may be able to bring a civil suit against a medical practice under state laws. Some states have patient privacy protections beyond HIPAA. In these cases, a patient can bring a suit through the state’s court system.
Most states with these laws allow patients with a cause of action to enforce these laws’ protection through civil court.
Finally, a patient may find the cause of action for a suit against a medical institution if the court determines that the institution violated the patients’ constitutional rights. Federal constitutional rights supersede other laws and regulations.
Department of Health and Human Services Complaint
In most circumstances, a patient who believes his or her privacy rights have been violated can file a complaint with the Department of Health and Human Services. Specifically, the DHHS’s Office for Civil Rights will investigate the complaint.
Sometimes the complaint is baseless. If the complaint has merit, the OCR will either settle the complaint outside of court or file a civil case within the court system.
Office for Civil Rights HIPAA Lawsuits
The HHS’ Office for Civil Rights has brought HIPAA cases to court, or fined healthcare organizations in out-of-court settlements, sixteen times so far in 2021.
Some of these cases were lawsuits over patient privacy violations due to security breaches. Others were due to Patient Right of Access violations.
In January 2021, the HHS OCR fined Lifetime Healthcare Companies (and their affiliates) $5.1 million for neglecting to protect patient data. That security breach compromised approximately 9.3 million patients’ private information.
Patient Right of Access
HIPAA grants patients the right to see up-to-date copies of their medical information upon request. Patients have the right to see all of their personal health records kept by medical providers, insurers, and other healthcare institutions.
Patient Right of Access violations may occur when it takes too long for a patient to receive their personal information after their request.
In June 2021, the OCR fined The Diabetes, Endocrinology, Lipidology Center Inc. (DELC) $5,000. OCR also imposed a corrective action plan. In this case, the DELC violated HIPAA regulations when it took two years to fulfill a patient’s request for medical information.
State Laws and Regulations
Sometimes a patient may opt to pursue other methods of enforcing their rights to privacy and access. These patients may bring a healthcare provider to court over violating state law.
State laws may be stricter than HIPAA regulations. They may also allow an individual’s direct enforcement, unlike HIPAA. In recent years, patients have brought cases against providers in Arizona, California, and Minnesota.
Arizona’s law A.R.S. 12-2296 empowers patients to enforce the confidentiality of their medical records. In 2019, the Arizona Supreme Court upheld the patient’s right to find cause of action and sue a provider in Shepherd v Costco.
This ruling empowers patients to take legal action beyond any action the HHS OCR takes. In the same vein, the Minnesota Health Records Act (MHRA) enables patient lawsuits.
The MHRA and the California Confidentiality of Medical Information Act (CMIA) give patients more power to enforce their medical privacy rights.
Violations of Constitutional Rights
In other contexts, an individual’s right to sue over an institution’s violation of their constitutional rights supersedes other cause of action prohibitions. For example, individuals in many states have sued hospitals over violations of their Fifth Amendment rights, alleging unlawful restraint.
Recently, the U.S. Court of Appeals for the Fourth Circuit heard a case alleging that a HIPAA violation was also a violation of the plaintiff’s constitutional rights under the Fourteenth Amendment.
The Fourteenth Amendment states, in part, that, “no state shall… deny to any person within its jurisdiction the equal protection of the laws.” This constitutional right has served as the basis for non-discrimination acts in the United States.
Fourteenth Amendment and HIPAA
Payne alleged that Taslimi, a doctor at Deep Meadow Correctional Center, loudly announced Payne’s HIV-positive status. Thus, Taslimi violated Payne’s right to medical privacy.
In the lawsuit, the plaintiff claims that this violation of his patient privacy was an act of discrimination, due to his HIV-positive status. Allegedly, Taslimi protected HIV-negative inmates’ privacy, but not Payne’s privacy.
This unequal protection of privacy was the basis of the lawsuit.
Ultimately, the Court of Appeals for the Fourth Circuit dismissed the suit. Payne lost his appeal on the grounds that the plaintiff had no reasonable expectation of privacy in a prison.
However, the lawsuit still demonstrated that a private individual may sue over the discriminatory application of HIPPA, without going through the OHR. In a different setting, the unequal application of privacy protections could form the basis of a Fourteenth Amendment case.
HIPAA Training to Stay Above the Law
HIPAA is a complex set of rules. You and your organization can stay compliant with HIPAA training and certification.
What Is HIPAA Training?
HIPAA training is a set of in-depth courses designed to prevent negligence, abuse, discrimination, reporting mistakes, and other errors that could cause non-compliance with HIPAA.
Anti-discrimination training, in particular, can prevent the unequal application of HIPAA practices. The unequal application of privacy processes could result in a Fourteenth Amendment lawsuit.
HIPAA training can vary depending on the specific regulatory risks your practice may meet. For example, there are specialized HIPAA training courses designed to meet the issues dental offices deal with as well as HIPAA training for bloodborne pathogens.
Other courses address the unique risks medical office staff and sales professionals face when working with patient data. Patient data management and direct patient care are both aspects of medical care covered by HIPAA.
What Is HIPAA Certification?
HIPAA certification is provided by a third party. A healthcare practice cannot grant themselves HIPAA certification. Public Health Departments also do not certify organizations for HIPAA compliance.
Instead, HIPAA certification is granted by reputable third parties, like medical schools or specialized programs. These programs educate staff involved in patient care on compliance.
They also provide organizations with a checklist of strategies, tools, and mechanisms the organization can put in place to ensure compliance. Tools can be software programs, processes, or other security features.
Prioritize Patient Rights
Keep patient rights a priority. There are more cases every month where a patient has a cause of action to bring a lawsuit against a medical provider. Also, there are many situations where a patient finds cause to file a complaint with the Department of Health and Human Service’s Office for Civil Rights.
It’s important that neither you nor anyone at your practice violates a patient’s rights by accident or negligence. HIPPA training and certification can keep you legal. Learn more here.