More and more, I receive inquiries from patients who ask the same question—what are my remedies as a patient if I know that my medical records have been accessed without my consent? With all this emphasis on HIPAA these days, you would think that the patient would have some meaningful remedy under federal law. To answer this question, patient and their physicians should be aware of the following basic principles—
- HIPAA rules and regulations provide civil and criminal penalties for those who violate it, but these are enforced by the department of justice, federal attorney general, and/or state attorney general, not private citizens.
- A private citizen can file a complaint of HIPAA violations on http://www.hhs.gov/ocr/privacy/hipaa/complaints/. There is always the possibility that the department of justice along with the federal or state attorney generals will investigate and issue sanctions so as to prevent such a breach from happening in the future.
- But for a private lawsuit, a patient would have to look to state law to determine if any viable claims exist. Arguably, HIPAA, applicable federal and state laws, and applicable rules and regulations would collectively provide a standard of care for medical records acquisition, transmission, and maintenance that could be used to prove the necessary elements under the state law causes of action.
- Generally, a patient would need to look at what state law claims are available in the state in which the breach occurred. Possible claims, depending on the state, include negligence claims and violation of physician/patient confidentiality as well as invasion of privacy (public disclosure of private facts), and invasion of privacy (intrusion), if such claims exist in that state. However, any such common law claims most certainly will require damages, which may be hard to show as the damages must be tied to the improper access and disclosure.
- There also may be statutes that protect medical records. For example, there is a Medical Records Privacy Act in Texas (Texas Health & Safety Code, Chapter 181), which has some immediate injunctive relief provisions but enforcement powers are reserved to the state attorney general. Such statutes may presume damages, may require actual damages, and may even provide treble damages. Or a state may provide no such statute at all, leaving the patient with only the causes of action available under that state’s common law.
A health law attorney with knowledge of HIPAA and other patient privacy issues can help the patient determine if there are any specific statutes or common law causes of action under state law that allow for a private cause of action. However, unless the breach caused real, quantifiable damages or is ongoing (meaning injunctive relief is needed), the patient may only be left with an ability to file a complaint with the federal government, which may end up being little relief at all.