Assistant Professor of Law — UNT Dallas College of Law
SPRING 2019 ISSUE:
CIVIL REMEDIES AND TORTS
HIPAA applies to health plans, like an HMO or insurance company, and any health care provider that transmits health information in electronic form in connection with a transaction.3 This means that the vast majority of health care providers, including doctors, nurses, and hospitals, must abide by HIPAA. HIPAA prohibits disclosure of “protected health information” by these health care providers. “Protected health information” includes any information about an individual’s past, present, or future physical or mental health or condition; any information about what health care an individual has received; and any information about an individual’s past, present, or future payments for health care.4 Generally, in order to share this information with any third party, your health care provider must get your permission to do so.
HIPAA requires a health care provider to share your protected health information with you.5 This is one of your rights under HIPAA. If you request your health information from a health care provider or you request an accounting of your health information, your provider is required to give it to you. You may request the information be provided in a certain format, and your health care provider must provide it to you in that format if it can be readily produced that way.6 You may also request that your health information be provided to a third party, such as your spouse, a specialist, or an attorney.7 To do this, you should ask your health care provider for a HIPAA request form. You should clearly identify in that form which records to send, the designated recipient, and where to send the records. You must sign the form and return it to your health care provider.8 You may have to pay a small fee to cover the cost of copying the records.9 You may also have to make your request in writing, and the health care provider has up to 30 days to provide you with your health information.10
There are a few exceptions to the general rule that your health care provider must give you your health information when you request it. First, patients do not have the right to access their own psychotherapy notes.11 Second, patients do not have a right to obtain information their health care provider has compiled for legal proceedings.12
If a health care provider refuses to provide you with your protected health information, the health care provider must provide you written notice that states the basis for the denial, a statement of your right to get a review of the denial, and a description of how to complain to the health care provider or the government.13 You then have the right to have the denial reviewed. In that case, the health care provider must designate a licensed health care professional not involved in the denial to review the decision not to give you access to your health care records.14
HIPAA not only gives you the right to see and access your protected health information, it also gives you the right to check the accuracy of the information and change it if it is incorrect. Specifically, if you believe that the information in your health care record is wrong, you may make a request to your health care provider to amend your health record.15 Your health care provider may require you to make such a request in writing.16 If you do, the health care provider has 60 days to make the requested change or to deny the change.17 A health care provider can deny the request if the record you are asking to change was not created by that health care provider or the record is otherwise accurate or complete.18 Even if your health care provider denies your request to change your health record, she or he must allow you to submit a written statement that disagrees with the denial that will be placed in your health record.19 If your health information is ever provided to a third party, your health care provider is required to produce not only your health record, but also your statement explaining your disagreement with the accuracy of the record.20
Besides giving you the right to access, check, and change your health care information, HIPAA also protects the privacy of those records. As stated, HIPAA generally prohibits a health care provider or other covered entity from sharing your health care information with a third party without your permission. There are a few exceptions to this rule, however. First, HIPAA allows a health care provider or other covered entity to share your health care information with you even if you do not request it. It also allows your health care information to be shared during the course of treatment or for the purposes of payment.21 A health care entity can also share your health care information in emergency situations. For example, your information can be shared if you are incapacitated and your doctor needs to tell your family.22 The health care entity may also share your health care information with public health authorities in certain situations, including data collection with respect to disease outbreaks, reporting of child abuse or neglect, or in relation to your use of an FDA-regulated drug or device.23 Finally, a health care entity can share your health care information with law enforcement under certain circumstances, for example, if you are suspected to be the victim of a crime24 or if a court has ordered it to do so.25
Although HIPAA protects the privacy of your health information, unfortunately, it does not provide a way for you to sue your health care provider in court if you believe the health care provider has violated your rights under HIPAA.26 Instead, if you believe that your health care provider has exposed your protected health information to a third party without your permission, your only option is to file a complaint with the Secretary of Health and Human Services via the Office of Civil Rights (“OCR”).27 The Office of Civil Rights has the authority to investigate complaints of HIPAA violations and to impose civil and criminal penalties, depending on the severity of the breach. That being said, the OCR cannot impose penalties if the health care provider’s failure to comply with HIPAA was reasonable and is corrected within 30 days of when the health care provider knew of the failure to comply.28 The standard is even higher for imposing criminal penalties: a health care provider must knowingly or willfully violate HIPAA’s privacy rule to be subject to criminal prosecution and penalties.29 Although the OCR rarely penalizes health care providers for violating HIPAA, it does occasionally do so. In 2010, for example, the OCR fined Cignet Health $4.3 million for denying 41 patients access to their medical records.30
In sum, HIPAA requires health care providers and other health care entities to provide you notice of your privacy rights and keep your health information private. Additionally, subject to the exceptions explained above, it allows them to share your health information only with you and others you have specifically designated. HIPAA also gives you a right to access and review your health information and to change it if you believe anything in your record is inaccurate. If your health care provider has denied you any of the rights HIPAA affords you or has breached the privacy of your health records, you can file a complaint with the Office of Civil Rights.
1 Assistant Professor, UNT Dallas College of Law.
2 The law is codified at 42 U.S.C. § 300gg, 21 U.S.C. § 1181 et seq., and 42 U.S.C. § 1320d et seq.
3 See 45 C.F.R. §§ 164.103; 164.104(a); 164.500(a).
4 Id. § 164.103.
5 Id. §§ 164.502(a)(2); 164.524(a).
6 Id. § 164.524(c)(4).
7 Id. § 164.524(3)(ii).
9 See id. § 164.524(c)(2)(i).
10 Id. § 164.524(b)(2)(i).
11 Id. § 164.524(a)(1)(i).
12 Id. § 164.524(a)(1)(ii).
13 Id. § 164.524(d)(2).
14 Id. § 164.524(d)(4).
15 Id. § 164.526(a).
16 Id. § 164.526(b)(1).
17 Id. § 164.526(b)(2).
18 See id. § 164.526(a)(2).
19 See id. § 164.526(d)(2).
20 Id. § 164.526(d)(5).
21 Id. § 164.506(c)(1)(2) & (3).
22 See id. § 164.510(a)(3).
23 See id. § 164.512(b) & (c).
24 See, e.g., id. § 164.512(f)(3).
25 See, e.g., id. § 164.512(f)(1)(ii).
26 See Acara v. Banks, 470 F.3d 569, 571 (5th Cir. 2006) (holding that because HIPAA does not contain any language expressly giving individuals private rights to bring a case based on a HIPAA violation, Congress intended to preclude such cases).
27 See 45 C.F.R. § 160.306. To get more information about filing a HIPAA complaint, go to https://www.hhs.gov/hipaa/filing-a-complaint/index.html (last checked Nov. 9, 2018).
28 45 C.F.R. § 160.410(b)(2).
29 See 42 U.S.C. § 1320d-6.
30 Cignet Health Fined a $4.3 Civil Money Penalty for HIPAA Privacy Violations, at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/cignet-health/index.html (last checked Nov. 9, 2018).