In a world seemingly dominated by all-encompassing HIPAA protections (i.e. the dozens of forms you are asked to sign when treated in the hospital) and daunting HIPAA fears (i.e. your boss’s warning that you cannot repeat, recite nor should you even remember information you learn from HIPAA sensitive documents while on the job,) the question inevitably arises: What can I do if I feel my so-called “HIPAA rights” are violated?
Proper analysis of that inquiry requires a basic understanding of Health Insurance Portability and Accountability Act of 1996. (A complete copy of the HIPAA statute can be found at http://aspe.hhs.gov/admnsimp/pl104191.htm.) In general, HIPAA provides privacy protections for individuals by limiting the ways health plans, pharmacies, hospitals and other “covered” entities can use personal medical information.
According to the United States Department of Health and Human Services:
Congress mandated the establishment of federal standards for the privacy of individually identifiable health information. When it comes to personal information that moves across hospitals, doctors’ offices, insurers or third party payers, and State lines, our country has relied on a patchwork of federal and state laws. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient’s medical treatment or health care reimbursement…[t]he Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. (For more information see http://www.hhs.gov/hipaafaq/about/188.html.)
However, Congress did not create individual privacy rights through its enactment of HIPAA nor did it envision a private remedy in the event of HIPAA violations. In other words, although HIPAA, in effect, fashions or at least codifies what sounds like private privacy rights, it did not carve out a private remedy– or private right of action – for individuals to enforce violations in the absence of action by the Secretary of the U.S. Department of Health and Human Services.
Allow me to explain…
When Congress passes legislation it has the power to decide who will be the bill’s legal enforcers. In order to allow an individual be the enforcer, Congress must, either by express language contained within a particular statute or by implication though its intent, create a private remedy. In the case of HIPAA, several United States’ District Courts have concluded Congress did not create a private remedy. See Acara v. Banks, 470 F.3d 569, 571 (5th Cir. 2006); Pierre v. County of Broome, 2007 WL 625978 (N.D.N.Y. 2007); Del Plato v. Meyeroff, 2008 WL 398547 (W.D.N.Y. 2008). Instead, Congress empowered the U.S. Department of Health and Human Services to enforce HIPAA violations.
So, what does all this mean to us? Even though it does not appear we have a private cause of action, the government has provided an avenue for us to give notice of potential violations. Specifically, if you believe a person, agency or organization covered under the HIPAA Privacy Rule violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy Rule, you may file a complaint with the Office for Civil Rights (OCR) in one (or more) of the following four ways:
Option 1: Open and print out the Health Information Privacy Complaint Form in PDF format (you will need Adobe Reader software) and fill it out. Return the completed complaint to the appropriate OCR Regional Office by mail or fax.
Option 2: Download the Health Information Privacy Complaint Form in Microsoft Word format to your own computer, fill out and save the form using Microsoft Word. Use the Tab and Shift/Tab on your keyboard to move from field to field in the form. Then, you can either: (a) print the completed form and mail or fax it to the appropriate OCR Regional Office; or (b) email the form to OCR at OCRComplaint@hhs.gov.
Complaints about HIPAA violations in that occurred in New York should be mailed to:
The Office for Civil Rights
U.S. Department of Health & Human Services
26 Federal Plaza – Suite 3313
New York, NY 10278
(212) 264-3313; (212) 264-2355 (TDD)
(212) 264-3039 FAX
Option 3: If you choose not to use the OCR-provided Health Information Privacy Complaint Form (although we recommend that you do), please provide the information specified above and either: (a) send a letter or fax to the appropriate OCR Regional Office; or (b) send an email OCR at OCRComplaint@hhs.gov.
(See http://www.hhs.gov/ocr/privacyhowtofile.htm for more detailed information on how to file a claim.)
Please note HIPAA prohibits an entity accused of violating its provisions from taking any sort of retaliatory action whatsoever against anyone for filing a complaint with the Office for Civil Rights. OCR urges you to notify it immediately if any you experience any retaliatory action.
Thanks for reading, Christina
Christina M. Bruner, Esq.
Personal Injury & Malpractice Attorney
Ziff, Weiermiller, Hayden & Mustico, LLP
303 William Street, Elmira, New York 14902
Toll Free: 1.800.943.3529