Violation of Patient Privacy Rights
Our Health Law Group assists health care providers, insurance companies, clearinghouses, supply companies, and all related business associates defend against charges and allegations of health care fraud. We help our clients meet their compliance goals and assist them through government investigations.
Violation of Patient Privacy Rights can affect all aspects of confidentiality of patient’s personal information and medical conditions.
We help our clients deal with the resolution of violations that occur in the healthcare providers locations when their rights have been compromised.
There are around 10,000 registered and private hospitals in the United States and hundreds of thousands of credentialed medical facilities and healthcare professionals.
These companies provide out of hospital care for people with illnesses and injuries and operate in conjunction with many different types of healthcare providers including, emergency medical technicians, paramedics, nurses, and physicians.
No matter what the size of your company, violating patient privacy rights is a serious offense and could lead to fines, imprisonment, and the revocation of your professional licenses.
What is “Violation of Patient Privacy Rights?”
- Not adhering to expiration dates of patient authorizations – There is an option to include an expiration period to authorization requests. This would make it possible to release all medical records that are confidential after the time period specified.
- If the release of patient information is not promptly released – HIPAA states that patients have the right to receive electronic medical records if they request them.
- Getting rid of medical records in an inappropriate manner – It is imperative that the medical records are shredded to avoid the release of confidential information.
- Unauthorized individuals who are “snooping” – Individuals who are not authorized to review a person’s medical records can be avoided by using passwords.
- This also includes reviewing clearance levels of the facility and systems that track the information.
- HIPAA forms that are missing signatures from patients – If missing signatures are found on any forms, a form is then invalid making it a violation to release that information.
- Medical requests being released to a party that is designated authorization – The individual listed on the form is the only person allowed to receive any patient records.
- The release of health information that was not authorized – Documents that were not listed to be released can violate the patient’s rights. It is part of the patient’s rights to only release a portion of their medical records.
- Information for the wrong patient has been released – A careless mistake that someone makes by releasing information for the wrong patient. This can happen when both patients have similar or same names.
- A patient can revoke any clause – All patient forms that have been signed must include a Right to Revoke clause not to be invalid. A release of information to any other person goes against HIPAA regulations.
- Patient private information, not being storages in a protective way – Electronic equipment that is not secured which can include computers, mobile devices, and thumbnail drives. If these are stolen, it would be a violation of releasing the patient’s confidential information.
Here are some examples:
In 2010, a California physician, Huping Zhou at UCLA Hospital was sentenced to four (4) months in prison for violation of HIPAA rights. He pled guilty for four (4) misdemeanor counts of accessing and reading the confidential medical records of his supervisors and high-profile celebrities.
In October 2003, Huping Zhou had been given notice for job performance reasons unrelated to the illegal access of medical records. That night, Zhou accessed and read his immediate supervisor’s medical records as well as those of other coworkers.
Over the next three weeks, Zhou abused his access to the organization’s electronic health record system to view the medical records of celebrities and high-profile patients, including Drew Barrymore, Arnold Schwarzenegger, Tom Hanks, and Leonardo DiCaprio.”
You may discover more examples of cases like this in our “Press Release” section below.
Who Can Be Found Liable for Violation of Patient Privacy Rights?
All healthcare facilities and healthcare employees that provide medical services can be found liable for patient privacy rights violations.
What is the False Claims Act?
- >Patient’s information under false pretenses is illegal. For example:
- a patient’s personal information that includes their name, address, birth date, and Social Security number;
- the health condition of an individual that includes physical or mental health;
- care that the individual may receive; or
- payment information for care that can be used to identify the patient.
Medical professionals that violate HIPAA may face fines of $50,000 per violation (or per records) with a maximum penalty of $1.5 million per year for each violation, one year to ten years imprisonment.
The DOJ interpreted the “knowingly” element of the HIPAA statute for criminal liability as requiring only knowledge of the actions that constitute an offense. Specific knowledge of an action being in violation of the HIPAA statute is not required.
Who is in Charge of HIPAA Violation Investigations?
The release and use of all confidential patient information is a serious matter. These patient privacy allegations are then investigated by a federal agency that is in charge of dealing with patient privacy.
The federal agencies involved in investigating charged of health care fraud include:
Generally, the Justice Department’s Criminal Division (“DOJ”), Department of Health and Human Services Office for Civil Rights (“HHS-OCR”), and local prosecutors will work together to investigate and prosecute charges of health care privacy violations.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces federal civil rights laws and the Health Insurance Portability and Accountability Act (HIPAA).
Within HIPAA, HHS-OCR regulates the Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule. Together, these rules protect the fundamental rights of patients and their health information privacy.
OCR protects your rights using the Privacy Rule and Security Rule
- Computer hard drives
- Memory cards, magnetic tapes, disks of any kind
- All removable/transportable digital memory media that can include private information
- Any transmission media used over the Internet, dial-up connections, intranets, leased lines and private networks that exchange information
How Are Healthcare Fraud Investigations Carried Out?
- Timely Response to Patient Complaints
- Conduct an Adequate Investigation
- the patient who was violated
- the individual who filed the claim;
- the medical employee who violated the rights.
Additional methods used in healthcare violations include:
- Involving HR to Determine Measure of Discipline
- Follow up with the Patient
- Determining if there is a Reportable Breach
- Correcting and Mitigating All Harmful Effects
- Getting your Documents in Order
How Can I Defend Myself Against Violations of My Patient Rights?
An individual must have “knowledge” of their rights being a violation to be found liable under HIPAA. Some examples consist of using confidential information to promote spam mailings by using their medical treatments and use of any or all personal information to be breached.
Prosecutors may prove your guilt by providing evidence that you knowingly reviewed medical records without consent. An example of this is fraudulent impersonation by using your information.
Even if you do not completely impersonate this patient, you can still be found liable in connection with the claim for any statements made in connection with the claim that you knowingly misled health care providers.
Violations of Patient’s Privacy Rights in the News
Charge: Criminal charges brought against an individual for an alleged HIPAA violation
Allegations: In 2014, Joshua Hippler, a Texas hospital employee, received an 18-month jail term for wrongfully disclosing of private patient medical information. Mr. Hippler was found in possession of medical records upon being arrested in Georgia.
At the time of filing, it was not known how many records he had. Joshua Hipper was charged with wrongfully disclosing private health information for his personal gain. These are some of the individual charges that are not very common because most HIPAA violations aren’t intentional.
This case is an example to warn individuals that they are not immune to the prosecution of HIPAA violations.
Charge: Viewing files for unrelated patients
Allegations: Training employees on HIPAA are important as you will see in this case of a violation by Jamie Knapp, a respiratory therapist at ProMedica Bay Park Hospital in Ohio. Ms. Knapp had accessed approximately 596 medical records in 10 months..
She had the authority to review records of patients she was treated as part of her job. She allegedly viewed unrelated patient files. In October, Ms. Knapp was set to be sentenced with the possibility of facing up to a year in jail if convicted.
Since the prosecutor will have to prove that the law was broken, this could be a long shot.
Charge: Warning girlfriend about patient’s disease by text message
Allegations: A New York clinic nurse saw herself at the center of an ugly HIPAA violation case. Her sister-in-law’s boyfriend had been diagnosed with an STD. This nurse then sent her sister-in-law six text messages, warning her about the disease.
The boyfriend then sued the clinic even after this nurse had been terminated. The trial court judge dismissed the claim on the grounds that the nurse’s warnings were not unforeseeable and based on personal reasons.
The plaintiff (boyfriend) has appealed the decision. This HIPAA lawsuit is an example that seems to be unavoidable, with the caveat that the clinic should have been able to prevent the nurse from treating a close personal acquaintance.
Charge: Review of medical records by medical staff and non-medical staff
Allegations: Six doctors and 13 employees at UCLA Medical Center viewed Britney Spears’ medical records after her 2008 psychiatric hospitalization. Non-medical support staff that did not have a legitimate medical need to review these files violated HIPAA in this nature that could be all but eliminated by following an IT concept called the Principle of Least Privilege.
The principle stresses allowing access to data only to those employees who need it to do their jobs.
Why you need an experienced patient privacy violation attorney
Our attorneys understand the healthcare industry and can help you understand the charges that are being brought against you. We can accompany you to interrogations and ensure that your rights are not violated. Ultimately, our goal is to help you establish a legitimate defense.
We have the knowledge and background to successfully defend anyone prosecuted for healthcare and insurance fraud in both state criminal and civil proceedings and federal criminal and civil proceedings.
We have represented industry and corporate clients, doctors, pharmacists, administrators, clinics, hospitals, and other health care industry, professionals.