Cleveland HIPAA Lawyer

For patients, it is assumed that discussions between them and their doctor or nurse will remain confidential.  A privacy lawyer will tell you that all healthcare providers do indeed owe a fiduciary duty to their patients to protect their health information.  This basic tenant of medicine has been long established, but was formally reduced to federal legislation in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  In addition to the HIPAA law, the State of Ohio has its own laws regarding protection of health information, which largely dovetail with the HIPAA legislation.

The HIPAA laws do not include a private right of action.  This means that when a healthcare provider, like a hospital, doctor or nurse, violates your HIPAA rights, the HIPAA law does not provide a right to sue the wrongdoer or to recover compensation.  It is essentially a law with no teeth.  However, Ohio common law recognizes a claim for violation of the right to privacy under these circumstances.  Common law is developed by judges through the rule of law set forth in published case opinions.  Ohio’s common law right to privacy provides for the right to sue for money damages when a healthcare provider discloses or accesses your protected health information without authority to do so.

In the early 2000s, every major hospital system took advantage of federal funds earmarked for the development of electronic medical record systems.  Once your health information is computerized, it becomes potentially accessible by many employees of a hospital system.  Recognizing this, the HIPAA rules include security standards for the protection of electronic protected health information.  These standards include administrative, physical and technical safeguards designed to protect unauthorized access and disclosure of patients’ protected health information.  Safeguards are required to “ensure the confidentiality, integrity and availability of all electronic protected health information…”  In addition, safeguards must “protect against any reasonably anticipated threats… to the security or integrity of such information” and “protect against any reasonably anticipated uses or disclosures of such information that are not permitted…”  In addition to the safeguards, the HIPAA rules require hospitals to develop emergency protocols that allow emergency department personnel to access medical records when a patients’ life or health is in immediate threat.

Despite these clear legal requirements, snooping by hospital employees into the medical records of patients still occurs at an alarming rate.  As a Cleveland HIPAA lawyer and privacy lawyer, I receive several calls a year regarding these cases.  Typically, snooping occurs when a hospital employee looks at the medical records of an acquaintance out of curiosity or of a rival for advantage.  In addition to these intentional violations of a patient’s right to privacy, inadvertent disclosures also occur.  It is important to note that the claim for violation of the right to privacy does not distinguish between intentional or negligent disclosures.  Both are actionable.

Very few Ohio cases address the common law right to privacy.  For this reason, there are a number of “gray areas” regarding how the law applies.  For example, no Ohio case specifically addresses what damages are compensable when a patient’s right to privacy is violated.  In the absence of case law, a Cleveland privacy lawyer or HIPAA lawyer will look to other States’ laws or the Restatement (Second) of Torts, which is a compendium of legal principles composed by legal scholars.  The Restatement (Second) of Torts provides that compensatory damages for a violation of the right to privacy can include emotional distress, including mental suffering, anger, embarrassment and humiliation suffered by the patient from the disclosure, along with “special damages.”  Special damages might include expenses associated with counseling or costs associated with clearing one’s credit history if the unauthorized access includes financial information.

When a rogue employee snoops on a patient’s medical records for their own personal reasons, the hospital system will argue that the employee acted outside the course and scope of their employment.  The hospital makes this argument in an effort to avoid accountability.  However, the HIPAA rules requiring security standards and safeguards firmly place responsibility on the hospital itself for preventing unauthorized access by employees who have no business reason for doing so.  Two Ohio courts have already gotten this wrong, specifically holding that the hospital is not vicariously liable for harm caused by an employee’s snooping activities, a classic HIPAA violation.  This is a grave injustice to patients that ignores federal law.  When an employee can only get access to a patient’s medical records by virtue of credentials issued by their hospital-employer, the hospital must be held responsible for failing to implement safeguards needed to prevent unauthorized access by the employee.  Eventually, the Supreme Court of Ohio will address these important issues.

For more information about violation of Healthcare Privacy, contact Mishkind Kulwicki Law Firm today.