HIPPO, HIPPER, HIPPA, HIPAA……..whatever you call it

The Health Insurance Portability and Accountability Act of 1996 is known as HIPAA.  Over the past decade I have heard it cussed, discussed, and mispronounced more times than I can count.  The primary goals of HIPAA were to (1) make it easier for people to keep health insurance, (2) protect the confidentiality and security of healthcare information and (3) help the healthcare industry control administrative costs.  There is even a section of HIPAA dealing with “administrative simplification.”  Anyone that has spent any amount of time sorting through HIPAA would be hard pressed to honestly say that it simplifies anything.

Of those three goals of HIPAA, only one impacts my law practice daily.  The security and confidentiality of healthcare information.  Medical providers are required to maintain the privacy of their patient’s medical records and can not release the records without a valid authorization.  Every time we request medical records of our clients from their healthcare providers, we must submit a HIPAA compliant authorization.

But what happens if a medical provider releases information protected by HIPAA without an authorization?  HIPAA provides civil penalties for non-compliance ranging from $100 a day up to $50,000 a day with a calender year cap of $1,500,000.  There are also potential criminal penalties with fines up to $250,000 and jail time up to ten years depending on the type of wrongful conduct and the criminal intent behind the violation.

Despite the potential for significant penalties, HIPAA has for the most part been a toothless tiger because the Courts have typically found that there is no private cause of action under HIPAA.  Dean v. City of New Orleans, 2013 U.S. App. LEXIS 9106 (5th Cir. La. May 3, 2013)(citing Acara v. Banks, 470 F.3d 569, 572 (5th Cir. 2006).  In simple terms, that means that Sally can’t sue her doctor for a HIPAA violation if her doctor discloses the fact that she had two abortions, has a nasty a cocaine habit and three sexually transmitted diseases.  Given the lack of a private cause of action, only the US Department of Health and Human Service through the Office of Civil Rights can seek to directly enforce HIPAA.  Enforcement actions by the Department of Health for individual violations are so rare that I have never heard of one.

However, based on the recently reported Indiana Superior Court case of Hinchy v. Walgreen Co. and Peterson, it appears persons injured by the release of their confidential medical information may yet have an avenue to vindicate privacy rights.  Rather than using HIPPA as a cause of action, an injured party can allege that the HIPAA violation is evidence the medical provider committed negligence or violated a professional standard of care.

Sure, it sounds like semantics.  However, if attempting to plead a HIPAA violation results in a case dismissed, but pleading negligence based on violations of HIPPA as a standard of care results in a $1.4 million dollar jury question (as it did in Hinchy), which one do you think plaintiffs will pursue?  Given the comprehensive nature of HIPAA, expect to see preemption arguments against state court negligence actions involving HIPAA violations on the horizon.


About randywallace
I am a husband, father, attorney, outdoorsman and cook.

One Response to HIPPO, HIPPER, HIPPA, HIPAA……..whatever you call it

  1. Randy, great article on HIPAA, with a good twist on making it readable! I would just like to add that Covered Entities and Business Associates should be focusing on the true merits of HIPAA compliance, and that’s putting in place documented HIPAA information security and operational policies, procedures, and processes. I’ve worked with so many healthcare providers that lack the basic and fundamental documentation for HIPAA compliance, therefore it’s easy to see why non-compliance issues are still a major factor with HIPAA. I also hear healthcare companies express cost concerns about developing such documents, along with implementing risk assessment and security training initiatives, but with all the free and cost-effective tools available (some of them straight from hhs.gov!), there’s really no excuse for not being HIPAA compliant. Everyone needs to be ensuring the safety and security of PHI, it’s really that simple.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: