What Can I Do After an Improper Disclosure of Medical Records?
Your medical records are considered confidential information under federal privacy rules established by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). But you may still become the victim of improper disclosure of medical records through a data security breach, the improper maintenance of records, or the unauthorized snooping of your paper-based patient file.
So what should you do if you believe the privacy of your medical records has been compromised?
The following information provides a summary of your privacy rights under HIPAA, how to file a complaint with the Department of Health and Human Services (HHS), and legal options available through state law. See "Health Care Law" for related topics.
HIPAA and Medical Records
Health care providers, health insurance companies, and other entities involved in the administration of health care may not share personally identifiable medical information without your consent. It is important to note that this rule does not restrict the ability of doctors, nurses, and other providers to share the information needed to treat you.
Medical records may include your medical history, family medical history, information about your lifestyle, past procedures, laboratory test results, prescribed medications, genetic testing results, and related information. HIPAA applies to information held or transmitted in any form or media, including electronic, paper and oral.
Covered entities such as doctors and hospital administrators must obtain your written authorization in order to share such medical information with life insurance companies or other outside businesses.
See "Privacy and Your Health Information" (PDF) from HHS for more details.
How to Take Action After an Improper Disclosure of Medical Records
Consider taking the following two steps if you believe your private medical records have been improperly shared or exposed:
- Contact the person or entity responsible for the disclosure, ask them to retrieve the disclosed records, and request that whoever received them destroy their copies. The responsible party may be willing to help you in the event that an error has occurred.
- Contact HHS to describe the alleged incident and request an investigation. If HHS uncovers any HIPAA violations, the agency may warn or discipline the person responsible for the disclosure, or refer the matter to the Department of Justice for prosecution.
To file a complaint with HHS, fill out a "Health Information Privacy Complaint" (PDF) form and file it within 180 days of the alleged act. Make sure you send your complaint to the appropriate regional office, via mail or fax. If you have any questions about the complaint process, see "How to File a Complaint (HHS)" or send your question to OCRMail@hhs.gov.
See "Office for Civil Rights - Headquarters and Regional Addresses" for the mailing address, fax number, and telephone number of the regional office near you.
Breach of Privacy Lawsuits
The law of your state may provide other legal avenues for relief, such as the right to sue for invasion of privacy or breach of doctor-patient confidentiality, and receive damages as compensation for injuries suffered as a result of the disclosure of medical records. And even though HIPAA does not provide the right to sue in federal court, lawsuits filed in state courts have used HIPAA standards to establish liability.
A local attorney with experience in medical privacy matters may be in the best position to give you advice tailored to your specific situation and jurisdiction.