Print Page   |   Contact Us   |   Sign In   |   Register
Referral Service for the Community Group
Group HomeGroup Home Blog Home Group Blogs
Search all posts for:   


View all (41) posts »


Posted By Joette Melendez, Friday, April 6, 2018

Often mistakenly abbreviated as HIPPA, rather HIPAA stands for “Health Insurance Portability and Accountability Act of 1996.” It is a set of federal rules designed in part to protect the privacy of a person’s health care information by providing notice and an opportunity for consent to the person whose health information is sought. Congress passed this law to regulate “covered entities” namely, (1) health plans, such as health insurance companies, (2) health care clearinghouses, such as billing companies and third party administrators; and (3) health care providers, such as hospitals and doctors, from disclosing patients’ private health records. Georgia, as do most states, has similar laws protecting the confidentiality and privacy of patient health information. For instance, licensed Georgia hospitals must have a medical records service that is responsible for the administration of medical records. Ga. Code Ann., 290-9-7-18 


The goal set out by the HIPAA regulation is to secure a person’s “protected health information” (PHI) in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a healthcare service such as a diagnosis or treatment. PHI is information, including demographic information, which relates to:


The individual’s past, present, or future physical or mental health or condition;


The provision of health care to the individual, or


The past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Protected health information includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above.


Section 164.514(a) of the HIPAA Privacy Rule, permits the removal of personal identifiable information from medical records so that a covered entity would have no reasonable basis to believe it can be used to identify an individual. The Safe Harbor provision (Section 164.514(b) is the most practicable way a covered entity can apply the “de-identification” standard. This is accomplished by removing personal identifiers from an individual’s records such as: names; geographic subdivisions smaller than a state; telephone numbers; vehicle identifiers and serial numbers, including license plate numbers; fax numbers; email addresses; medical record numbers; biometric identifiers, including finger and voice prints; and full-face photos, “etc.” Records disclosed following these guidelines are not protected under the Privacy Rule. 


With the advent of HIPAA patients now have the right to: receive Notice of Privacy Practices (NPP); access and copy medical billing records; request an amendment of PHI or other records; an accounting for some disclosures; request restrictions on use and disclosure of their PHI; request the use of alternate channels of communication of PHI (e.g. use a different telephone number, different address, etc.); and report violations to state and/or federal authorities.


Although HIPAA now imposes universal standards on covered entities to protect a patient’s privacy, it does not explicitly create an individual right of action for patients affected by the privacy violation. An individual do not gain a right of action to bring its own complaint against the responsible violating party, but must file a complaint with the Department of Health and Human Services or the appropriate state authority such as a State Attorney General’s office. Usually if the federal or state agency decides to pursue a victim’s complaint, it may impose fines against the covered entity and force them to implement a set of standards to avoid future pitfalls of violating HIPAA. However, for the individual who may now be subject to mental anguish, lost opportunities, or other damages due to violation of their HIPAA rights the law stops short at providing an individual redress to claim damages. However, some attorneys have found ways to institute private rights of action for clients whose HIPAA rights were violated. These rights are brought forth under state tort laws where it can be shown the covered entity was negligent in disclosing a patient’s private information and must be held liable for damages. HIPAA now provides a ‘bright-line” standard test for examining a covered entity’s negligence in disclosing a person’s PHI. State privacy laws, professional malpractice, and negligence are grounds given legal causes of action to an individual whose HIPAA rights are violated. HIPAA law provides an attorney the framework to bring these causes of action. In a 2013 judgment Walgreens was ordered to pay $1.44 million as a result of a pharmacist violating a patient’s medical records. HIPAA was not used as the basis of the lawsuit but was use as the applicable standard to show how the pharmacist and Walgreens committed negligence in disclosing health care information without a person’s consent. 


This content was written by one of our panel members, Dorey N. Cole, an attorney in Atlanta, Georgia.


***If you or someone you know is faced with HIPAA issues, please call

Atlanta Bar Association's Lawyer Referral & Information Service

at 404-521-0777.***

This post has not been tagged.

Share |
Permalink | Comments (0)
Association Management Software Powered by YourMembership  ::  Legal