Why you don’t want to release protected health information unlawfully.

HIPAA and Violations Revisited

By Jeffrey J. Whitehead, Esq.

Some recent mistakes by a few of my clients encourage me to revisit what not to disclose in regards to PHI (“protected health information”) under HIPAA, and why you shouldn’t make unlawful disclosures. Penalties have often involved dismissal or being placed on leave for unlawful examination of HIV patient records and monetary settlement. It is not a good thing to have on one’s employment resume.

As we all remember, the HIPAA regulations were compiled as of March, 2013, here:

The official rules can be viewed at 45 C.F.R. Part 160, Part 162, and Part 164.

The recent trend in HIPAA is for states to allow their courts to look at HIPAA violations for private rights of action, because Congress did not expressly create the right under HIPAA. In the Ninth Circuit, you can refer to these cases, and in other circuits similar cases exist. Seaton v. Mayberg, 610 F.3d 530, 533 (9th Cir.2010) (no private right of action under HIPAA); Webb v. Smart Document Solutions, LLC, 499 F.3d 1078, 1081 (9th Cir.2007). Univ. of Colo. Hosp. Auth. v. Denver Publ’g Co., 340 F.Supp.2d 1142, 1143–46 (D.Colo.2004).

By some counts, at least ten states allow for HIPAA violations to provide the basis for an unlawful disclosure of private facts. Connecticut has held in Byrne v. Avery Center for Obstetrics and Gynecology, that disclosure of PHI can expose physicians to negligence claims. HIPAA itself does not provide for a private right of action, so the states incorporating HIPAA into negligence or disclosure of private facts is a means to accomplish what HIPAA did not provide.

An Ohio ruling in Biddle v. Warren General Hospital, recognized a state tort for the unauthorized disclosure of nonpublic medical information. No decision has been made on possible HIPAA preemption. Nevada has not spoken to the issue, and the one court that could have addressed whether Nevada recognizes the tort for disclosure of private facts did not clarify. Pacheco v. Kim, 2014 WL 5460869 (D. Nev. October 27, 2014). There was also pending a case in state district court, Destito v. Flamingo Las Vegas Operating Co., LLC, that was dismissed on statute of limitation defense of two years by Judge Joanna Kishner.

Despite the lack of a private right of action, a private citizen may file a complaint with the Department of Health and Human Services.
See http://www.hhs.gov/ocr/privacy/hipaa/complaints/.

If the Department of Justice or attorney generals pursue the violations, there are four classes of violations with four classes of penalties, together with an annual cap of $1.5 Million penalties. I am sure readers are relieved to know such a reasonable cap exists. Hold the applause please.

The four classes are:

Category 1: A violation that the Covered Entities was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules.

Category 2: A violation that the Covered Entities should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules).

Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation.

Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation.

The penalties for these classes are as follows:

The general factors that can affect the level of financial penalty also include prior history, the organization’s financial condition and the level of harm caused by the violation. These factors could decrease or increase the financial penalty issued.

Category 1: Minimum fine of $100 per violation up to $50,000;
Category 2: Minimum fine of $1,000 per violation up to $50,000;
Category 3: Minimum fine of $10,000 per violation up to $50,000;
Category 4: Minimum fine of $50,000 per violation.

The fines are issued per violation category, per year that the violation was allowed to persist. The maximum fine per violation category, per year, is $1,500,000.

Montana has a statutory right for actions against healthcare providers Mont. Code Ann. § 50-16-553 that only apply to those health care providers and facilities that are not considered covered entities under HIPAA. Montana laws further provides:

“Any person whose rights have been violated with respect to recorded health care information (e.g., those rights related to access, confidentiality, amendment, etc.) may bring an action for relief against the relevant health care provider(s) or other person within 3 years from the date of the violation(s). The court may order the provider or other person to comply with the relevant provisions, and may order any other appropriate relief. The person whose rights have been violated may recover damages for monetary losses sustained as a result of the violation and, if the violation results from willful or grossly negligent conduct, may additionally recover up to $5,000. The court may also award reasonable attorney’s fees and litigation costs.”
It remains to be seen how many other states will follow Montana’s lead. Currently, California, Illinois, Louisiana, Massachusetts, New Hampshire, New York, Tennessee, West Virginia, Wisconsin and Wyoming also have remedies for disclosure of medical or healthcare records.

Options for states without statutory remedies could include negligence claims, violation of confidentiality, public disclosure of private facts, or invasion of privacy.

As we can see, there really is very little reason for any knowledgeable person to disclose PHI without the consent of the patient, or person with authority to release. But despite the obvious harshness of the penalties, intelligent people continue to make negligent or willful mistakes. I had one case where a physician, who should know better, intentionally released PHI of a former employee. Please don’t be that “guy” or “gal”, unless you like to pay attorneys’ fees and government penalties.