Your doctor and other health care providers, and anyone who works with or for them, can't share information about you with anyone else without your consent, thanks to the Health Insurance Portability and Accountability Act of 1996, or HIPAA. If you think that a violation has occurred, then the U.S. Department of Health and Human Services will investigate and can fine businesses found guilty of violating the Act.
Protected Health Information
HIPAA protects information specific to your health, like your medical records. HIPAA also protects general information about you, such as your age and address. This Protected Health Information, or PHI, includes anything that your doctor, health plan, health-insurance company, employer, school or life-insurance company creates or shares about you. For example, HIPAA protects the medical records your doctor sends to your insurance company when filing a claim. HIPAA spells out the types of businesses that must follow the guidelines, and those that are not required to.
Health plans, most health care providers and health care clearinghouses must follow HIPAA guidelines. HIPAA refers to these types of companies as covered entities. People who work for or with these types of businesses, also known as business associates, must follow HIPAA guidelines. For example, the company that handles your doctor's billing and claims or the company that your doctor uses to store or destroy medical records must comply with HIPAA guidelines. If one of these companies or business associates doesn't adequately protect someone's PHI, then it has violated HIPAA guidelines. Employers in industries that aren’t related to health care don’t have to follow these laws.
Complying with HIPAA guidelines means making a reasonable attempt to protect health information. Reasonable efforts can include removing identifying information from your medical records, replacing your name on a file with a number, limiting who has access to and can view your information, and training all employees about the importance of protecting, and how to protect, health information. HIPAA also covers conversations that someone has about you and your PHI. For example, your doctor must make sure no one can overhear any conversation she has about you with another health care provider.
When a Violation Occurs
If you believe a HIPAA violation has occurred, you can file a complaint with the Office for Civil Rights, or OCR, at the U.S. Department of Health and Human Services. You have 180 days from the day of the violation to mail, e-mail or fax a written complaint. Your complaint must include the names of all suspected violators and a description of the violation. You can download a complaint form from the OCR website. OCR can also answer any questions you have about the form or the complaint process itself. Your employer cannot retaliate against you for filing a complaint. If she does, notify OCR immediately.
If the OCR finds that a HIPAA violation has occurred, it can pursue civil and criminal action. Fines can range from $100 to $50,000 or more per violation. The OCR cannot fine the same business more than $1.5 million dollars in a calendar year. If the OCR pursues criminal action, fines can range up to $50,000 and the person who violated HIPAA could spend one year in prison. Penalties increase depending on the severity of the violation. You can face up to a $250,000 fine and up to 10 years in prison if you violated someone’s HIPAA rights for commercial advantage, personal gain or to maliciously harm someone.
- U.S. Department of Health and Human Services: HIPAA Privacy Rule
- U.S. Department of Health and Human Services: HIPAA -- How to File a Complaint
- HIPAA.com: HIPAA Protected Health Information -- What Does PHI Include?
- U.S. Department of Health and Human Services: Your Health Information is Protected by Federal Law
- Ablestock.com/AbleStock.com/Getty Images