A thoughtful reader responded to our last post, Debunking a Viral “Medical Hack” Meme, which advised health plan subscribers to cite certain HIPAA compliance issues in efforts to overturn unfavorable insurance coverage decisions.
Jeff Knapp wrote:
This meme just popped up in my Facebook news feed this morning, and I was happy to see you addressed it so quickly. I too immediately noticed several flaws. In addition to the ones you noted here, there is certainly no right under HIPAA for an individual to speak with a covered entity’s privacy officer. While it’s true that a covered entity must designate a contact person or office, in my experience the contact person/office and the privacy officer are not the same. Typically, a privacy officer is dealing with higher-level issues than responding to requests for documents. I always enjoy reading your blog posts.
Mr. Knapp accurately notes that there is no right to contact a privacy officer, and in fact, HIPAA provides no private right of action for an individual whose protected health information was improperly accessed. See Why Can’t I Sue Under HIPAA for a Breach of my Protected Health Information? What Can I Do?
Moreover, if the individual disputing a coverage decision is covered by a self-insured plan sponsored by his or her employer, the strategy advocated by the meme could easily backfire, notwithstanding any separation of insurance administration and human resources functions within an employer’s management structure, whether nominal or reasonable.