Hello, i recently owned a series of hearing centers that were located inside of eye care practices that we rented space from. The eye care professional would screen all of his eye care patients that came in for eye care exams and if they failed the screening he would refer patients to my hearing center.
In addition the eye doctor gave me a list of all of his patients (name, address, city, state, phone, date of birth) to market/advertise to those patients to bring them into my hearing center where he received profit
My question is did the eye care professional break HIPPA laws (privacy) of all of their patients by providing another business with patient information without their patients consent and if so what is the penalty and possible infractions these eye doctors could face in a suit
Health Care Lawyer
It appears in the first scenario that the eye care professional is referring the patient for treatment from the hearing center("treatment" includes diagnosis under HIPAA's definitions). Marketing communications do not include referrals for treatment. Further, face-to-face communications between an eye care professional and a patient involving treatment referrals are not marketing communications. However, if the eye care professional is disclosing protected health information(PHI) to the hearing center in exchange for direct or indirect remuneration for the hearing center to make a communication about its products or services that encourages the patients to purchase or use the hearing center's products or services, that is a "marketing communication" under HIPAA and the patient must authorize the disclosure of PHI and be informed that remuneration is being exchanged.
In the second scenario, it appears that you are paying the eye care professional for PHI in order for the hearing center to market or advertise to all eye care patients, or the eye care professional is selling the PHI to the hearing center. In either case, the patient has to provide written authorization for the disclosure/sale of the PHI and the patient must be informed that remuneration is being exchanged. In either case, violations of HIPAA occur if patient authorizations are not obtained in accordance with HIPAA's requirements.
There are no private cause of actions under HIPAA, but the HHS Office of Civil Rights may bring enforcement actions and fine providers for violations of HIPAA. Also, state attorney generals may file suit to enforce HIPAA. Patients may sue for violations of state law or common law causes of action such as invasion of privacy or other torts.
There may Illinois laws there are stricter than HIPAA regarding marketing communications and sale of PHI. You should obtain legal counsel to discuss these matters and your licensing board's rules regarding receiving PHI in exchange for remuneration.
Landlord / Tenant Lawyer
There are lawyers in Chicago that focus their practice on healthcare law and the many highly technical regulations in that industry. I suggest you seek out one of those lawyers for a formal opinion before you are on the wrong side of massive governmental fines.
Though we strive to provide accurate legal information in our answers on AVVO, our answer should not be construed as legal advice and it does not create an attorney-client relationship. Our firm only forms attorney-client relationships by written agreement signed by both our firm and the client. Please seek an in-person consultation with an attorney immediately as almost all legal matters are time sensitive and failing to meet deadlines can result in adverse consequences.