It’s been years since HIPAA became a household term. Yet, there continues to be a significant amount of confusion about when it applies, what types of uses and disclosures of PHI are permitted, and if individuals can sue someone for a HIPAA violation.
The Office for Civil Rights recently published separate guides, one for health care providers and one for patients, to help clarify misunderstandings about when PHI can be released to family and friends involved in a patient’s medical care. Even though HIPAA requires health care providers to protect patient privacy, providers are permitted, in most circumstances, to communicate with the patient’s family, friends, or others involved in their care or payment for care. The provider guidance document is intended to clarify these HIPAA requirements so that health care providers do not unnecessarily withhold a patient’s health information from these persons. The guide also includes common questions and a table that summarizes the relevant requirements.
There are other helpful resources posted on the government’s website to help patients and providers understand HIPAA. Below is a sample of links that aim to dispel certain misunderstanding about HIPAA:
- Fighting Myths about the Privacy Rule
- Who Must Comply With HIPAA
- 10 Myths about HIPAA and Medical Records Privacy
By far, the most frequent question that I receive from individuals is "can I sue for a HIPAA violation?" There appears, in my experience, to still be significant confusion regarding the fact that HIPAA does not provide for a private right of action. What this means is that an individual cannot sustain a lawsuit against another person or entity based solely on HIPAA, even if such individual believes his or her PHI has been disclosed in violation of HIPAA. In such situations, HIPAA provides for a mechanism where the individuals can file a complaint with the federal government. Individuals can also consult with an attorney to determine if other federal laws or their State’s laws may provide for any remedy.