The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule is a Federal protection for the privacy of personal health information that was passed by Congress in 1996.
The purpose of HIPAA is to require health care providers and organizations to follow procedures that keep patient information confidential and secure. Due to technological advances and electronic record-keeping, HIPAA is a powerful tool to ensure that patient information remains private.
But what if a company or doctor violates the HIPAA? What are the consequences?
Let me answer this question by giving you an example: An injured offshore worker is sent to a company doctor. After recommending surgery, the injured worker wants to get a second opinion and finds his own doctor.
After the company insists on sending a company insurance adjuster to accompany the injured worker to the appointment with the second doctor, the company later meets with the doctor without the injured worker being present. During the meeting, without the injured worker present, the company adjuster discusses the injured worker's diagnosis and future treatment with the doctor.
The company adjuster lies to the doctor and gets the doctor to change his opinion on what the diagnosis is for the injured worker and what treatment is recommended.
All of this happens without the knowledge of the injured worker or even a follow-up appointment.
There are serious consequences for companies when they do exactly what I've outlined in my example.
Failure to comply with HIPAA can result in civil and criminal penalties.
Covered entities and specified individuals, such as doctors and hospitals, who "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year.
Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison.
Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.
Civil penalties may be assessed by the Secretary of the Department of Health and Human Services for violations.
Minimum penalties can be as little as $100 per violation up to $50,000 per violation.
Even though an individual's privacy may have been violated, there are currently no private causes of action allowed under the HIPAA where a patient may sue the doctor or health care provider.
Using the example above, the doctor could be convicted of a criminal offense and/or civil penalties. If the injured worker in the example above is involved in a lawsuit, a judge could rule that any testimony or documents from the visit that was a violation of HIPAA could not be used as evidence.
To learn more about your rights after a work injury, take a look at our work injuries practice area.