The intersection of technology and privacy is one of the fastest-growing areas of healthcare law today. With all the advances in information technology, the need to protect patient privacy is more important than ever. When privacy violations do occur, the results can be devastating. Patients can experience identity theft, fraud, embarrassment, emotional distress, and the loss of privacy of their medical information. However, there are laws in place to protect patients and their private medical information, as well as legal recourses for holding the at-fault parties responsible for their actions.
HEALTH INFORMATION REGULATION
A patient’s health information is regulated by federal and state laws, depending on the source of the information and the organization entrusted with its care. These laws regulate the privacy of patient information, as well as the exchange of that information.
HIPAA: Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act of 1996 (also known as HIPAA) regulates the use and disclosure of protected health information held by covered entities. Covered entities typically include the healthcare provider and any business associate who performs administrative duties for that provider.
The HIPAA Privacy Rule establishes national standards for the protection of health information. It defines and limits and circumstances in which an individual’s private health information may be used or disclosed. The goal is to assure that the patient’s medical information is protected, while allowing the necessary flow of information within the healthcare system. HIPAA Privacy Rules protect medical records, personal medical information, private health information, health plans, and healthcare electronic or financial transactions.
The HIPAA Security Rule establishes national standards for the protection of health information that is held or transferred in electronic form. In other words, any private patient information that is maintained in an electronic or digital format, or transmitted in an electronic or digital form.
HIPAA Privacy and Security Rules requires covered entities to:
- Implement administrative, technical, and physical policies and procedures to protect patient information
- Safeguard patient information from intentional or unintentional disclosure
- Train workforces on the policies and procedures in place to protect patient health information
- Ensure that only those employees who have been granted access to patient information can view, access, or transmit the information
- Implement policies to prevent, detect, and contain any unlawful disclosures of patient information
- Provide notifications following a breach of unsecured, protected patient information
- Mitigate any harmful effects of unlawful disclosures of protected patient information
- Apply sanctions against employees who fail to comply with the privacy policies or procedures
HITECH: Health Information Technology for Economic and Clinical Health Act of 2009
Through financial incentives, the HITECH Act promotes the expansion and adoption of health information technology and electronic health records by healthcare providers. HITECH also helps ensure that HIPAA-covered entities and business associates are complying with HIPAA rules. HITECH introduced tougher penalties for healthcare providers and associates who violate HIPAA Privacy and Security rules.
Georgia’s Medical Privacy Laws
Together, HIPAA and HITECH provide guidelines and rules for the protection of private patient medical information. These laws work in conjunction with Georgia’s already established privacy laws.
Under Georgia common law, a healthcare provider and its business associates owe a fiduciary duty to keep patients’ private medical information confidential. (A fiduciary duty is ethical in nature; one person or entity is obligated to act on another person’s behalf). The fiduciary duty of privacy under Georgia law requires the covered entity (healthcare provider) to apply the appropriate administrative, technical, and physical safeguards to protect the privacy of patient medical records.
COMMON VIOLATIONS OF HIPAA AND HITECH
When a healthcare provider or its business associate does not have the proper safeguards in place to protect patient records and information, privacy violations can occur. Here are some examples of the ways that a patient’s HIPAA, HITCH, or state privacy rights may be violated.
- Healthcare provider or business associate does not properly store patient records
- Healthcare provider or business associate improperly disposes of the patient records
- Healthcare provider or business associate released the patient records to an unauthorized party
- Employee of healthcare provider or business association misuses or abuses the patient records
- Employee of healthcare provider or business associate loses storage device (ex: computer) containing unsecured, private patient information
- Healthcare provider’s or business associates’ email is hacked, leading to data breach
- Healthcare provider or business associate improperly discloses patient information in front of a guest or a third party
- Healthcare provider or business associate reveals private patient information on social media
DAMAGES AND PENALTIES
When an individual or group has experienced a violation of their patient privacy, they may sue for a number of kinds of damages, including but not limited to: privacy loss, emotional distress, or out-of-pocket expenses for mitigating identity theft or fraud. The at-fault healthcare provider or business associate may also face civil and criminal penalties – depending on the situation. The amount of civil penalties depend on when the violation happened and whether the at-fault party was negligent in its privacy procedures or the disclosure of any breaches. Criminal penalties depend on whether the at-fault party knowingly obtained or disclosed private patient records, and whether that access involved personal gain or malicious harm.
HAVE ADDITIONAL QUESTIONS? HAS YOUR PATIENT PRIVACY BEEN VIOLATED? CONTACT ZINNS LAW
A patient relies on their healthcare provider to manage their wellbeing and help in emergency, life-changing situations. They also expect that their provider will keep their discussions confidential and medical records private. Unfortunately, healthcare providers and their business associates do not always follow federal and state privacy laws – and the results can be devastating. Zinns Law can help hold the at-fault parties responsible and ensure that you are compensated for your loss and experiences.