What Legal Rights Do I Have if My Medical Records Are Improperly Disclosed to an Unauthorized Third Party?
We oftentimes hear of a patient that has learned that his or her physician released medical records to an unauthorized individual. There are occasions where a hospital has released medical records without obtaining a signed medical release. If protected medical records or hospital records are released by a doctor or a hospital without a valid medical release, does the patient have a cause of action against the hospital, doctor or third person that caused the release of the medical records? If so, what is the basis of that cause of action?
HIPAA Disclosure Forms
The Health Insurance Portability and Accountability Act of 1996 is frequently cited and noted as the HIPAA law. We are all familiar with signing HIPAA disclosure forms when attending a doctor's appointment or being seen or admitted to a hospital. The Health Insurance Portability and Accountability Act of 1996 is a federal law that controls disclosure of patient information, which includes information about healthcare facilities, licensed practitioners and suppliers of healthcare services or supplies. This law applies to private insurers, public health programs, health maintenance organizations (HMOs), healthcare service contractors and insured or self-insured group health plans that have 50 or more enrollees and are administered by a third party.
For more information and to better understand the HIPAA privacy rules, the United States Department of Health & Human Services website at www.hhs.gov/ocr/privacy/hipaa/understanding/ has easy-to-understand information concerning the HIPAA privacy rules that apply to all of us. It defines who is entitled to look at and receive your health information.
What Health Information Is Protected?
Essentially, all of your health information is protected and cannot be released without a valid release. However, your health information can be used and shared for your treatment and care; to pay doctors and hospitals for your healthcare; and to make required reports to the police, such as reporting a gunshot wound. Unless there is an exception, such as a requirement under the law to report to the police or to protect the public health (e.g., reporting when the flu is in your area), your health information cannot be shared without your written permission and certainly cannot be provided to your employer or shared for marketing or advertising purposes.
In the event that such a disclosure is made, you can file a complaint with the federal government. The form for the complaint is accessible and can be downloaded from the U.S. Department of Health & Human Services website at the aforementioned link.
Medical Professionals May Be Liable for Unauthorized Disclosure of Medical Information
The Ohio Supreme Court in Biddle vs. Warren Gen. Hosp. (1999), 86 Ohio St. 3d 395, determined that a hospital and its attorneys can be held liable for the unauthorized disclosure of medical information. It is important to understand that the privilege to disclose protected health records is limited absent specific exceptions. While a physician or hospital may have an obligation to disclose information pursuant to statute for the safety of individuals and, in limited circumstances, where matters of public interest arise, a physician or hospital may not disclose protected health information.
In Biddle, the court determined that the disclosure by the hospital to its attorney for purposes of attempting to allow its law firm to search for potential Social Security claimants — on the basis that the medical bills of one or more of the patients may thereby be paid by Medicare — is not authorized as a matter of business practice without specific authorization.
Establishing a Claim for Unauthorized Disclosure of Nonpublic Medical Information
Biddle recognized a claim that a patient may have against a hospital, doctor or a third party that induces the unauthorized, unprivileged disclosure of nonpublic medical information. In order to establish a claim, a patient must prove that the doctor, hospital or third party knew that the information was protected as part of the physician/patient relationship; that the defendant intended to induce the physician to disclose information about the patient; and that the defendant did not reasonably believe that the physician could disclose the information to the defendant without violating the duty of confidentiality. In Biddle, the court determined that a hospital can breach its duty of confidentiality owing to a patient and the law firm in this case that induced the hospital to release the information could also be held liable.
While there are very few claims in Ohio that have resulted in compensation to a patient for the unprivileged, unconsented disclosure of protected health information, the federal government takes such violations seriously and, under the right circumstance, an invasion of privacy and an induced disclosure of protected information for business purposes that is not protected may result in an appropriate compensable claim.