This is a true story that occurred recently in Indiana. Failing to collect payment for treatment, a medical group sent a patient to collections. In providing the unpaid bills to the collections attorney, practice staff failed to redact sensitive information. When the attorney filed the bills with the court as part of his collection action, the patient’s positive HIV status became public record.
The patient sued the practice and won. The jury awarded $1.25 million in damages.
As a case of wrongful disclosure this one seems pretty open-and-shut. But how exactly did the patient and his attorney proceed? Under which of the following did the patient bring action:
•HIPAA privacy rule
•HIPAA security rule
•HITECH breach notification rule
•Indiana Medical Malpractice Act
The patient sued the practice and won under the Indiana Medical Malpractice Act.
Why not HIPAA? Because he could not.
The case is a good reminder that although HIPAA sets a standard for an individual’s privacy rights it does not provide a private right of action, says Nicholas K. Lagina, an attorney with Krieg DeVault, based in Indiana.
When it comes to HIPAA violations, the patient is limited to filing complaints with appropriate governmental agencies, such as the Office for Civil Rights, he says. Other sources of law must form the basis of a lawsuit.
READ THE FULL ARTICLE