Hospital Privacy HIPAA Violation Lawsuits

HIPAA, (Health Insurance Portability and Accountability Act of 1996) not only gives patients rights over their health information, but also sets rules and limitations on who can look at and receive this information, whether it is electronic, written, or oral. Prior to HIPAA, no rules existed to protect patient health information, but with the emergence of new technologies to improve the quality and efficiency of patient care, the number and severity of potential security risks also increased.

Most health care providers, including doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists, must follow HIPAA’s privacy regulations, which apply to the following:

• Information doctors, nurses, and other health care providers put in a patient’s medical record.
• Conversations doctors have with nurses and others about a patient’s care or treatment.
• Patient information contained in a health insurer’s computer system.
• Billing information about patients.
• Most other health information kept about a patient by those who are required to follow the regulations.

Under HIPAA’s Privacy Rule, covered entities and their business associates must put safeguards in place that will protect patients’ private health information (PHI) to ensure that it is not used or disclosed improperly. These individuals and entities are required to reasonably limit the use and disclosure of this information to the minimum necessary to accomplish their intended purpose, and must implement procedures to limit those who can access and view patients’ protected health information. Training programs to instruct employees about how to protect patient health information must be implemented.

HIPAA also includes a Security Rule that establishes a national set of security standards for protecting electronic health information that is created, received used, or maintained by a covered entity, and requires the appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI.

According to federal law, a breach of protected health information occurs through the “acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by HIPAA which poses a significant risk of financial, reputational, or other harm to the affected individual.”

Some common examples of social media HIPAA violations include:

• Posting information about a patient to unauthorized parties, even if the patient is not named.
• Sharing any form of PHI, including photos, without written consent from a patient.
• Assuming that posts are private or have been deleted when they are still visible to the public.
• Sharing of comments or pictures that happen to contain protected patient information (charts or files).

Social media violations of HIPAA are becoming increasingly common, and although difficult to predict or prevent, their consequences can be severe. They can include civil lawsuits, loss of medical license, employee termination, civil fines ranging from $100 to $1,500,000, and criminal penalties of as much as $250,000 in fines and up to 10 years in prison.