Free Injury Consultations 
Our friends at Mishkind Kulwicki Law Co., L.P.A. previously blogged about HIPAA violation cases under Ohio law about 10 years ago. Since then, their phone rings several times a week with callers seeking advice on cases involving violation of their HIPAA rights. Unfortunately, they do not handle these claims. Following is some general information about your rights when a hospital or healthcare professional violates your HIPAA rights. An experienced medical malpractice lawyer can help determine whether a situation involving a privacy breach may also involve actionable negligence or other legal claims.
The HIPAA law is an extensive statute and set of regulations that governs the use of electronically stored medical information. While the law set out with good intentions, it falls far short of protecting every day Americans. For starters, the law does not contain a private right of action. This means that the HIPAA law does not provide for a mechanism to sue when a hospital or healthcare worker violates a patient’s rights under the law. Ohio courts, however, provide a very limited scenario under which patients can sue. The courts have not been willing to expand that limited rule of law to protect patients from negligence healthcare providers.
The current law allows patients to sue a healthcare provider when the healthcare provider shares the patient’s confidential health information with a third party without the patient’s authorization. This sounds good, but in practice, the law offers little protection to patients. A patient may sue a healthcare provider for any violation of the patient’s HIPAA rights. However, collecting on such a claim is the real problem. Ohio courts have routinely held that patients cannot collect from the healthcare provider’s employer when the healthcare provider intentionally violates the patient’s right of privacy. The most common intentional disclosure is when a healthcare provider accesses the patient’s record and discloses sensitive information to third parties. One example would be when a hospital employee accesses the record of someone that they know and then posts information about the patient on social media. In these instances, Ohio courts have decided that the hospitals that employee the offending healthcare worker get off scot-free, even though the hospital provided access to the electronic medical record and failed to provide adequate safeguards to prevent employees from accessing records that do not relate to their work.
Further, when these the violations of patient’s privacy are intentional, the healthcare provider’s insurance does not cover harm caused by the unlawful disclosure. So, patients are stuck suing the individual healthcare provider and collecting solely from the healthcare provider’s personal assets. Most employees who engage in unlawful snooping are hourly wage workers with no appreciable assets. So, they are effectively uncollectible. As a result, lawyers are not willing to pursue these claims on a contingent fee. The old adage, “you can’t get blood from a rock,” applies here.
When your HIPAA rights are intentionally violated by healthcare worker, you have a few options. First, you can report the individual to their employer. It is important to report the breach through the proper channels. Reporting HIPAA violations to an individual’s employer should follow the steps set forth in the facility’s Notice of Privacy Practices which is typically posted online. One benefit of complaining to the facility is that they will send a letter validating that a breach has occurred.
Another option is to report the infraction to the Department of Health here: https://www.hhs.gov/hipaa/filing-a-complaint/index.html.
Finally, since a lawyer is not likely to take your case, you can file suit on your own against the offending in your municipality’s small claims court. This is the so-called “people’s court” where individual litigants can represent themselves in a lawsuit. You will want to read the court’s rules for filing a lawsuit and pay special attention to the jurisdictional limit on how much you can sue for within that court.
When a healthcare provider negligently discloses your confidential health information without your permission, you still can sue the individual and their employer. A common scenario for negligent disclosures would be when a healthcare provider shares information with family members without your authorization and without any compelling reason to do so.
Please note that the statute of limitations for HIPAA claims in Ohio may be as short as one-year. While privacy claims in Ohio carry a four-year limitations period, crafty hospital lawyers argue to courts that one-year limitation period applies to “medical claims.” This issue is now being resolved by Ohio courts.
