As a privacy lawyer, I am frequently asked about cases that arise out of health care workers who snoop on patients’ private medical records. These are often called HIPAA violations, but usually have nothing to do with the potential legal ramifications. HIPAA regulations protect the confidentiality of certain health information, including the patient’s medical records. However, they do not include a private right of action that vests an individual whose medical records have been accessed without authorization or disclosed to others without authorization the right to sue for money damages as a result of this breach of their privacy. Instead, individuals have to look to their own state law for relief.
Hospital employees frequently snoop upon patient’s records. Any time a celebrity or sports figure is in the hospital, it is common for doctors and nurses within the facility to snoop on the record. In addition, snooping occurs when hospital employees are aware that a family member, romantic rival, love interest, or neighbor is in the hospital. All unauthorized access to a medical record is strictly prohibited by the HIPAA regulations.
In a recent case, a radiology technician employed by the Kaiser Permanente Hospital system accessed thousands of patient records over a period spanning almost 10 years. The hospital system will surely claim that the individual was acting outside the scope of his employment and therefore attempt to evade responsibility. However, the hospital has distinct responsibilities under the HIPAA regulations to prevent these types of incursions.
First, the regulations require that a hospital “ensure” that such privacy breaches do not occur. To do so, they have to engage in a number of practices, including training staff, implementing physical and technical safeguards that prevent access by unauthorized individuals and frequent audits to detect when records are being viewed by employees without a business or medical reason to do so. In addition, depending on the state, laws provide that an employer such as a hospital is liable for the acts of its employee if the acts take place while on work time while using access credentials provided by the employer.
As an invasion of privacy lawyer, if I’m contacted by a client complaining of a HIPAA breach, the first course of action is to request that the client contact the offending provider, whether a hospital, nursing home, or other health care provider, and request an audit of their record. The HIPAA regulations require providers to conduct an audit and report the results of the audit to the patient and to the Department of Health and Human Services. In addition, the affected party can contact the Department of Health and Human Services and initiate a complaint for the HIPAA violation.
If the provider substantiates a violation of the patient’s HIPAA rights, a claim for breach of privacy can be brought to recover compensation for harm caused by the breach of privacy. Your next call should be to a privacy lawyer.