Filefax, Inc., a defunct Illinois medical records storage and management company, has been fined $100,000 for improperly handling medical data under an agreement with the court-appointed receiver managing the company’s assets on behalf of its creditors.  This settlement has implications for both service providers and their covered entity clients.  Fox Rothschild partners Elizabeth Litten and Michael Kline were quoted in an article by Marla Durben Hirsch entitled “Be prepared for HIPAA Issues if a business associate shuts down” in the August issue of Medical Practice Compliance Alert.

As the HHS press release stated, the consequences for HIPAA violations don’t stop when a business closes.  In this case, Filefax had been under investigation by state and federal authorities since 2015 for careless handling of medical records which had been abandoned at a shredding facility.   Medical Practice Compliance Alert notes:

This settlement shows that  a provider or business associate that has violated HIPAA can’t avoid the consequences by shutting down.  “OCR is saying that you’re still responsible if you close your doors.” Says attorney Elizabeth Litten with Fox Rothschild in Princeton, NJ.

But it also provides a cautionary tale for providers who work with business associates that go under because providers are ultimately responsible for their patients’ records.

The article suggests the following tips for a covered entity to reduce its risks when a business associate may be in shaky financial shape:

  1. Keep an inventory of your business associate relationships.
  2. Choose business associates carefully.
  3. Monitor your business associates’ compliance with HIPAA.
  4. Expect increased scrutiny if a business associate is already on the government’s radar.
  5. Watch for signs that the business associate may be running into financial trouble.
  6. Don’t sit idly if the business associate files for bankruptcy.

What should a covered entity do when it learns that a business associate may have violated its HIPAA responsibilities?  For starters, see our previous post entitled Ten Tips for Actions by a Covered Entity after a HIPAA Breach by a Business Associate.  And if that BA has ceased operations, be prepared to take control of the situation even if the BA may not have enough resources left to reimburse you for its mistakes. Remember, the buck always stops with the Covered Entity.

Harry S. Truman Library & Museum 2017

The recent criminal conviction of a Massachusetts physician provides a stark reminder that violating HIPAA can result in more than civil monetary penalties and the financial and reputational fall-out that results from a breach. In this case, perhaps the cover-up was worse than the crime, or maybe prosecutors decided that a conviction on other charges would have been harder to get. Either way, the case should alert covered entities and business associates to the fact that HIPAA violations can result in jail time and criminal fines.

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) investigates complaints and may impose civil monetary penalties (CMPs) for violations of HIPAA.   The U.S. Department of Justice (DOJ) handles criminal investigations and penalties.  This may not provide much comfort, but a CMP will not be imposed if the HIPAA violation is determined to constitute a criminal offense.

OCR will refer matters to DOJ for criminal enforcement in some cases or will work cooperatively with DOJ where a DOJ investigation on other grounds reveals a potential HIPAA violation.  HHS reported that OCR had referred 688 cases to the DOJ for criminal investigation as of June 30, 2018.

The criminal enforcement of HIPAA was described in a Memorandum Opinion issued in 2005 jointly to HHS and the Senior Counsel to the Deputy Attorney General by Steven Bradbury, then-acting Assistant Attorney General of the Office of Legal Counsel within DOJ (the DOJ Memo). The DOJ Memo explains that HIPAA allows for criminal penalties only for violations that involve the disclosure of “unique health identifiers” or “individually identifiable health information” (IIHI) that are made “knowingly” and in violation of HIPAA.   Specifically, a person may be subject to criminal penalties if he or she knowingly (and in violation of HIPAA):  (i) uses or causes to be used a unique health identifier; (ii) obtains IIHI; or (iii) discloses IIHI to another person.  Criminal penalties range from misdemeanors to felonies.  The maximum criminal penalty (a fine of up to $250,000 and imprisonment of up to 10 years) can be imposed if one of these offenses is committed “with intent to sell, transfer, or use [IIHI] for commercial advantage, personal gain, or malicious harm.”  The DOJ Memo explains that “knowingly” refers to knowledge of the facts that constitute the offense, not knowledge of the law being violated (HIPAA).

The DOJ Memo emphasizes the fact that criminal penalties are reserved for limited and specific violations of HIPAA:  “Such punishment is reserved for violations involving `unique health identifiers’ and [IIHI]…  Thus, the statute reflects a heightened concern for violations that intrude upon the medical privacy of individuals.”  The DOJ Memo focuses on violations by covered entities. It notes that when a covered entity is not an individual, but is a corporate entity, the conduct of agents may be imputed to the entity when the agents act within the scope of employment, and the criminal liability of a corporate entity may be attributed to individuals in managerial roles.

DOJ might decide to seek a conviction for a violation of HIPAA when it believes such a conviction would be easier to get than a conviction for a violation of other federal laws governing health care providers (such as the anti-kickback statute).   After all, the DOJ Memo makes it clear that “knowing” refers to the conduct, not the state of the law.  However, it should be noted, as per the DOJ Memo, that the DOJ’s interpretation of “`knowingly’ does not dispense with the mens rea requirement of section 1320d-6 [HIPAA] and create a strict liability offense; satisfaction of the ‘knowing’ element will still require proof that the defendant knew the facts that constitute the offense.”

When a health care entity (like a large hospital system or health plan) has deep pockets, the OCR may decide to pursue very high civil monetary penalties and rely on the financial and reputational implications of the civil monetary penalties to act as a deterrence.  On the other hand, the DOJ may seek to deter behavior associated with a wider range of criminal activities by pursuing jail time for a HIPAA violation.

In the case of the Massachusetts physician, it is also likely that the DOJ pursued the criminal charge because she lied about her relationship with the third party to which she disclosed patient information. My law partner Charles DeMonaco, a white collar defense attorney and former DOJ prosecutor, agrees:

It is understandable why this doctor was indicted and convicted for these offenses.  She was accused of lying to the agents, which is always a major hurdle in a criminal case.  Even if an underlying crime cannot be established, a lie of a material fact to a government agent is a stand-alone false-statement felony.  It also establishes consciousness of guilt. The doctor could have asserted her Fifth Amendment privilege against self-incrimination to avoid talking to the government agents.  It is never a good thing for a doctor to speak with agents who are investigating the doctor’s conduct without counsel and without proper protection of limited use immunity being sought prior to the interview.  The government also proved that she accepted fees from the pharma company after providing the [IIHI] in violation of HIPAA.  Under these facts, it is not surprising that this case was brought as a criminal prosecution and that a guilty verdict was returned.

Everyone subject to HIPAA should be aware that a HIPAA violation involving disclosure or breach of IIHI may be the low-hanging fruit for criminal prosecutors originally focused on other violations of law.   In particular, covered entities should carefully evaluate arrangements with third parties that involve the sharing of IIHI with those parties for commercial/personal gain or commercial harm. If the sharing of IIHI is not permitted under HIPAA and commercial gain or harm is involved, these violations could result in the most severe level of criminal penalties, including significant jail time.

New York Giants’ defensive end Jason Pierre-Paul suffered hand injuries while handling fireworks on July 4.  A screenshot of a page from his hospital records was tweeted by ESPN reporter Adam Schefter on July 8, resulting in a flurry of speculation over whether the disclosure may have violated HIPAA or other privacy laws.  In an article by  published today by LXBN, the Lexblog Network, our partners and frequent blog contributors Michael Kline and Elizabeth Litten are quoted extensively about the implications of the publication of these records by a media outlet, the health privacy rights of public figures and the effect, if any, of the NFL’s collective bargaining agreement on such disclosures.  The article is here: Did That ESPN Reporter’s Tweet Violate HIPAA?

As noted in Elizabeth’s comments, there is no “public figure exception” to HIPAA, and as we have noted before in this blog, celebrities’ records are frequently the subject of unauthorized snooping.

A critical question is how the ESPN reporter obtained the records, from whom and under what circumstances.  Although HIPAA does not directly regulate parties other than Covered Entities and their Business Associates, the law provides for criminal penalties for unauthorized use or disclosure of individually identifiable health information with the intent to sell, transfer, or use such information for commercial advantage, personal gain or malicious harm, including fines of up to $250,000, and imprisonment for up to ten years.  The Department of Justice has stated that “the liability of persons for conduct that may not be prosecuted directly under section 1320d-6 will be determined by principles of aiding and abetting liability and of conspiracy liability.”

Illicitly obtained medical records should be contrasted with health information that is released voluntarily by the individual patient.  For instance, in the Ebola infection incidents of October 2014, it appears that some information reported in the media may have been voluntarily disclosed by the affected individuals or their families.  Nevertheless, famous individuals, whether their fame arises out of their health condition or because of their prominence as athletes, entertainers or politicians, have the same health privacy rights as others and those rights should be safeguarded by covered entities and their business associates.

With gun violence and mental health concerns in the headlines, the Office of Civil Rights of the Department of Health and Human Services has published a letter to health care providers clarifying when it is permissible to reveal PHI when a patient is reasonably believed to present a serious danger to himself or others.   The long-awaited HIPAA Omnibus Rule, finally released yesterday, also addresses concerns about how to balance patient privacy with public safety.

Long before HIPAA, court decisions have supported the right, and the duty, of health care providers to reveal a patient’s health information where it may be necessary to protect the patient or the public from identifiable risks of harm.  The seminal case is the 1974 decision of the California Supreme Court in Tarasoff v. the Regents of the University of California. In that case, the family of a murder victim brought suit based on the failure of the university psychologist who had treated her killer to warn her that he had threatened her life during therapy sessions. The psychologist had recommended that the patient be hospitalized and did inform campus police, but he was not deemed dangerous enough to detain involuntarily, and later carried out his plan.   This landmark case established a duty of health care providers to warn potential victims and the authorities when an individual makes a credible threat of violence.  Most states follow the Tarasoff rule, either by statute or case law.

As the recent OCR letter indicates, the HIPAA rule permits disclosures in similar situations. 

When a health care provider believes in good faith that such a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, the Privacy Rule allows the provider, consistent with applicable law and standards of ethical conduct, to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat. Further, the provider is presumed to have had a good faith belief when his or her belief is based upon the provider’s actual knowledge (i.e., based on the provider’s own interaction with the patient) or in reliance on a credible representation by a person with apparent knowledge or authority (i.e., based on a credible report from a family member of the patient or other person). These provisions may be found in the Privacy Rule at 45 CFR § 164.512(j).

Under these provisions, a health care provider may disclose patient information, including information from mental health records, if necessary, to law enforcement, family members of the patient, or any other persons who may reasonably be able to prevent or lessen the risk of harm. For example, if a mental health professional has a patient who has made a credible threat to inflict serious and imminent bodily harm on one or more persons, HIPAA permits the mental health professional to alert the police, a parent or other family member, school administrators or campus police, and others who may be able to intervene to avert harm from the threat.

In the spirit of the "imminent threat" exception, and recalling the famous Tarasoff decision quote, "The protective privilege ends where the public peril begins,"  the Omnibus rule resolves a controversy over when and how student immunization records may be shared with school officials. The rule simplifies the process to permit oral or written authorization to health care providers or other covered entities to supply this information to schools where required by state law for admission. 

The final rule adopts the proposal to The final rule adopts the proposal to amend § 164.512(b)(1) by adding a new paragraph that permits a covered entity to disclose proof of immunization to a school where State or other law requires the school to have such information prior to admitting the student. While written authorization will no longer be required to permit this disclosure, covered entities will still be required to obtain agreement, which may be oral, from a parent, guardian or other person acting in loco parentis for the individual, or from the individual himself or herself, if the individual is an adult or emancipated minor. We believe that the option to provide oral agreement for the disclosure of student immunization records will relieve burden on parents, schools, and covered entities, and greatly facilitate the role that schools play in public health, while still giving parents the opportunity to consider whether to agree to the disclosure of this information.

Documentation of the parental permission is still required, but the form of that documentation is up to the covered entity.  Note that once a school is in possession of a student’s PHI, the school’s handling of those records is governed by the Family Educational Rights and Privacy Act (FERPA), not HIPAA.

The Omnibus rule is described by OCR director Leon Rodriguez as making "the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented."  Many of these changes appeared in the Notice of Proposed Rulemaking published on July 14, 2010.  We will be analyzing these changes in forthcoming posts in the near future.   

In light of the Obama Administration’s initiatives following the Sandy Hook, CT and Aurora, CO tragedies, HHS appears to be responding to criticism of overly restrictive privacy rules that allegedly would have prevented disclosure of mental health information that may have saved lives.  Clearly the current rules permit disclosure of imminent, concrete threats directed at specific targets, and there is no indication that either of the gunmen had expressed any such threats in advance to healthcare providers or otherwise.  Nevertheless, the time may be right to dispel any misinformation about when such threats can be legally communicated to authorities and potential victims.

The first breach settlement announcement of the new year breaks new ground – a $50,000 fine based on theft of a laptop containing 441 patients’ unencrypted data. It’s the first settlement of a breach involving fewer than 500 individuals.  There was no indication that any PHI was improperly viewed or accessed.

In a press release issued January 2, 2013, OCR announced the negotiated resolution of a breach by the Hospice of North Idaho (HONI), which began when HONI reported the June 2010 laptop theft.  The investigation revealed that HONI had not conducted a risk analysis to safeguard ePHI and had not adopted policies or procedures to address mobile device security.

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

The Resolution Agreement, which appears here, emphasized the hospice agency’s failure to anticipate the risk of loss of unprotected data on mobile devices which were commonly used by its staff in field work: 

"In particular, HONI did not evaluate the likelihood and impact of potential risks to the confidentiality of electronic PHI maintained in and transmitted using portable devices, implement appropriate security measures to address such potential risks, document the chosen security measures and the rationale for adopting those measures, and maintain on an on-going basis reasonable and appropriate security measures."  

The emphasis on a small covered entity’s lack of analysis and risk assessment is reminiscent of OCR’s settlement with two-physician Phoenix Cardiac Surgery, P.C. announced in April 2012, another case widely considered to be a warning to similarly situated entities. Note that HONI disputes the allegations in its own press release.

OCR also required HONI to enter into a two-year corrective action plan, which requires HONI to investigate any information indicating that any workforce member may have failed to comply with its Privacy and Security policies and procedures, and report the details of any such failure including sanctions imposed and steps taken to prevent recurrence.                  

Some lessons can be taken away from the HONI settlement.

First, encryption of ePHI is critical! Given the prevalance of breaches associated with lost and stolen laptops, it is often forgotten that the loss of unreadable encrypted data is generally not a HIPAA breach. 

Next, all organizations but especially those like hospices, home health agencies and other entities with mobile workforces must prioritize securing mobile devices. For starters, refer to OCR’s guidance entitled Your Mobile Device and Health Information Privacy and Security, which is definitely worth reading.  Some of the advice seems to be common sense (password protection, remote wiping or disabiling, firewall and security software, avoiding file-sharing applications) but needs to be enforced organization-wide, particularly in today’s "bring your own device" environment.   OCR has even created a handy one-page Fact Sheet with useful mobile device security tips. 

Loss and theft of mobile devices may be inevitable, but protection of the data those devices contain is not as challenging as many think, and effectively implementing such protection should be a priority for 2013. 

Once again, a healthcare worker’s inability to resist the temptation to snoop in her employer’s medical records has resulted in criminal prosecution. In the latest incident, a Vermont ultrasound technologist improperly accessed the electronic medical records of her husband’s former wife and her children, allegedly over a period of 12 years. The victim, also employed by the same hospital, was frustrated by the hospital administration’s delays in responding to her complaints and notified others including the FBI, her state senator and the American Civil Liberties Union before action was taken.

The Rutland, VT Herald reports that Kathy Tatro of Bennington, VT pleaded guilty to four counts of unauthorized access to computer records in a plea bargain that imposed probation and required her to serve 160 hours of community service, which will include talking to medical employees about the importance of privacy regarding patient records. The Bennington Banner reports that Ms. Tatro was given a 6-12 month suspended sentence, 2 years probation and a $2,000 fine.

This blog has noted other instances of snooping leading to serious consequences, including the case of a UCLA researcher sentenced to prison time for reading records of celebrities and co-workers, a Texas nurse fired for unauthorized access, a California hospital fined after employees accessed Michael Jackson’s records, a New York hospital that suspended employees for accessing George Clooney’s records after a motorcycle accident, and the termination of 16 hospital employees for accessing the records of an injured first-year resident.

The Vermont ACLU claims that this incident is “believed to be the most extensive breach of personal electronic medical records ever reported in Vermont.” The ACLU noted that the victim had explained in court how the system let her down.

“No investigation was begun nor any remedial action taken until she spoke up, complained, and dogged doctors, hospital administrators and trustees, state officials, federal officials, police officers, and the state’s attorney to do something. The privacy protections in place don’t work on their own; you have to fight to protect your rights.”

Based on reports, it appears this case was brought solely under state privacy laws, not HIPAA. It is not clear whether the Vermont Attorney General was involved, even though it seems that the victim alerted a variety of authorities.  

This case is yet another cautionary tale that should be considered by anyone in a position to access health records without a legitimate purpose, as well as by hospitals and other covered entities who should reevaluate the safeguards they have in place to track and prevent or at least discourage unauthorized access. 

Attorney General Lori Swanson of Minnesota (“AG”) issued a press release reporting that Accretive Health, Inc. (“Accretive”), the defendant in an action filed by the AG in U.S. District Court alleging violations of HIPAA, HITECH, the Minnesota Health Records Act, and the Minnesota consumer protection laws, signed a Settlement Agreement, Release and Order on July 30, 2012 (“Settlement Agreement”). The Settlement Agreement recites:

[R]ecognizing that unique circumstances exist in Minnesota in light of the Attorney General’s Agreement with Minnesota charitable hospitals … Accretive Health … has decided to wind down its remaining work for Minnesota Clients …


(other than its continuation of prior technology licensing agreements). The Settlement Agreement also requires Accretive  to pay the AG nearly $2.5 million within 15 days of the Settlement Agreement’s effective date. The funds may be distributed to patients at the discretion of the AG, used for settlement administration, and/or remitted to the State Treasury.


Previous posts to this blog have reported on the AG’s action against Accretive, and on the need for entities or individuals sharing Protected Health Information (‘PHI”) to identify the roles, rights, and obligations of the parties. Michael Kline’s recent blog reported on a breach involving more than 500 individuals included on the list maintained by the U.S. Department of Health and Human Services (the “HHS List”), highlighting the summary provided by the Office of Civil Rights (“OCR”). Michael noted that the OCR summary implies that OCR expects a covered entity (“CE”) contracting with a business associate (“BA”) to verify that the BA is “not an independent” CE.  


Identifying the roles of the parties and the context in which PHI is disclosed is critical because different information-sharing standards apply depending on these roles and circumstances. For example, a business associate agreement (“BAA”) is not required for disclosures made within a CE for treatment, payment, or health care operations, nor is a BAA required for PHI to be disclosed from one CE to another CE where the recipient CE is a health care provider and the PHI is being disclosed for treatment purposes.


However, if the recipient CE is a health care provider, but is receiving the PHI as a BA (generally defined as a person or entity that performs functions or activities on behalf of another person that is a CE, which involves the use or disclosure of PHI), a BAA is required and it must, among other things, “establish the permitted and required uses and disclosures” of the PHI (though failure to execute a BAA will not absolve the BA of its responsibilities and liabilities under HIPAA and HITECH). In addition, while most uses and disclosures of PHI must be limited to the “minimum necessary,” current regulations do not restrict disclosures to or requests by a CE that is a health care provider to the “minimum necessary” when the disclosure or request is for treatment of a patient. A CE can use or disclose PHI for “payment” activities, but must comply with the “minimum necessary” standard.  If the “payment” activity involves disclosure to a consumer reporting agency, the CE may only disclose specified information (name/address, date of birth, social security number, payment history, account number, and the name and address of the CE). 


The Accretive case was triggered by an alleged PHI breach (the all-too-frequent loss of a laptop containing sensitive information about 23,500 patients treated at two hospitals that had contracted with Accretive), but the AG’s allegations were most scathing where they painted a picture of insidious and inappropriate sharing and use of PHI between hospitals and Accretive.  The AG alleged that Accretive’s “Quality and Total Cost of Care” services used “data mining,” “consumer behavior modeling,” and “propensity to pay” algorithms.  Accretive allegedly “amasse[d] and ha[d] access to a high volume of sensitive and personal information,” which it used, among other things, to create “per patient risk score” calculations, yet the hospitals’ patient authorization forms allegedly failed to disclose the scope or breadth of the PHI that the hospitals would share with Accretive.


In addition to this questionable and seemingly surreptitious “behind the scenes” PHI-sharing, Accretive staff allegedly interfaced directly with patients seeking treatment at the hospitals, often appearing to be members of the hospital’s staff.  Jessica Silver-Greenberg, reporting on the Settlement Agreement in the New York Times, describes allegations of aggressive collection tactics taken by Accretive that involved requesting payment from patients seeking emergency care. 

Whether a clear delineation of the role of Accretive as a BA and/or restriction of PHI disclosed to Accretive to the “minimum necessary” would have prevented the AG’s action is unclear. However, the Accretive case provides a good example of how the blurring of the CE and BA roles can backfire on parties that fail to sufficiently analyze and define such roles, not only at the outset of a relationship but throughout its duration and evolution.



Ever wonder about those HIPAA breaches that affect less than 500 individuals and don’t get posted on the government website known as the “Wall of Shame”? In a recent presentation to the Hospital Council of Western Pennsylvania, officials from the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) provided detailed information on all breaches including the agency’s enforcement and auditing activities.

The presentation revealed that the publicly-posted breaches represent only the tip of the iceberg, less than 1% of all reported breaches. During the period September 2009 through May 31, 2012, there were 435 reports involving a breach of 500 individuals or more, and over 57,000 reports of breaches involving under 500 individuals.

Of the breaches exceeding 500 individuals, the most common cause is theft and loss, representing 65% of large breaches (and about 70% of these incidents involved ePHI). Chart 1

The location of the compromised data was spread broadly over a variety of media, with a quarter of the breaches represented by paper records, another quarter by laptops, and 15% by portable devices such as phones, iPads and USB flash drives.  Network servers represent 11%, perhaps due to tighter institutional control over firewalls and malware protection; and email is comparably secure at only 2% :

These statistics suggest that organizations should prioritize establishing and effectively implmenting policies addressing the highest-risk media and breach circumstances, without ignoring the lower frequency risks.

Keep in mind that breaches involving less than 500 individuals have been among the most prominent and high-impact cases, including the UCLA snooping case and the recent Phoenix Cardiac Surgery P.C. settlement.

The presentation also summarized OCR’s enforcement efforts over the past two calendar years. Of the 9,032 privacy complaints and compliance reviews opened in 2011 (up from 8,770 in 2010), 8,370 were closed: 2,595 after corrective action; 4,472 were resolved after intake and review, and in 1,303 cases the investigations found no violation.  Security complaints are less frequent – 203 closed in 2011, 158 after corrective action, 15 without determination of a violation, and 30 closed at the intake stage without investigation.

The OCR representatives also described the agency’s pilot audit program which will target up to 115 covered entities for audit before the end of 2012 as required by the HITECH Act.  The first 20 audits involved 8 health plans, 10 providers and 2 clearinghouses (Business Associates will be audited later):

The OCR presentation was led by Verne Rinker, a 13-year veteran of HHS who was also one of the presenters in last year’s comprehensive series entitled “HIPAA Training for State Attorneys General,” which is publicly available and would be an excellent training resource for covered entities and business associates.

In a welcome move toward transparency, OIG has been sharing more “inside” information than ever before. For instance, in this blog my partner Elizabeth Litten previously reported on the program OCR’s Linda Sanches recently presented on OCR’s audit efforts.  Further, the official OCR summaries of breaches posted on the Wall of Shame often contain valuable insights into the enforcement process and those actions and factors considered relevant by the regulators, as noted in my partner Michael Kline’s recent post.

In another nod toward transparency, just this week, OCR also published its Audit Protocol, a comprehensive document that contains the requirements OCR’s team will assess through its performance audits. The audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification.

The audit protocol covers Privacy Rule requirements for

  • notices of privacy practices for PHI,
  • rights to request privacy protection for PHI,
  • access of individuals to PHI,
  • administrative requirements,
  • uses and disclosures of PHI,
  • amendment of PHI, and
  • accounting of disclosures.

The protocol also covers Security Rule requirements for administrative, physical, and technical safeguards, and requirements for the Breach Notification Rule.

The protocol is both a useful guide to compliance and a valuable tool for preparing for and surviving an OCR audit.

As part of our healthcare practice, we frequently field questions from individuals from the general public about alleged violations of the HIPAA law that have affected them.  Many people have been in the unfortunate situation where they believe that their protected health information (PHI) has been compromised inappropriately, and they want to know what they can do about it.  Such individuals are often surprised and deeply disappointed to learn that the HIPAA law does not provide a "private right of action" in the event of unlawful  access, use or disclosure of PHI.  That means that under HIPAA, an individual cannot file a private lawsuit  to recover damages against a party that  allegedly improperly accessed, used or disclosed their PHI.  

Such improper disclosures, however, may violate other state or federal laws or common law rights of privacy, so that  individuals may wish to reach out to an attorney who is licensed in their state of residence to determine whether they have any specific claims, rights or remedies related to the improper access, use or disclosure.   The statute of limitations on such claims may be very short-lived, so those who wish to pursue such potential claims should do so without undue delay. 


Under HIPAA, if you feel that your PHI has been accessed, used or disclosed inappropriately, you may contact the Office of Civil Rights within the U.S. Department of Health and Human Services (HHS) to file a complaint (go to the OCR website to acquire a form that you may fill out online to file a complaint).  Additionally, each state’s Attorney General is authorized to bring lawsuits under HIPAA on behalf of individuals whose medical records have been improperly disclosed, and to share any proceeds of such suits with the affected individuals.   


While it may be viewed as unfair by victims of inappropriate access, use or disclosure of PHI that they cannot sue under HIPAA themselves, they should act promptly to seek assistance of HHS or their state’s Attorney General to assert what rights they do have under HIPAA.