HIPAA payouts rare, but complaints can be more costly

It’s not just fines or damages to affected patients from a HIPAA violation that can hurt medical practices, advises an attorney.

It’s unlikely a patient will be able to recover financial damages from a physician in court due to an unauthorized disclosure of their medical records. However, their complaints can result in unpleasant consequences for the practice. 

Most information about the Healthcare Insurance Portability and Accountability Act (HIPAA) and patients’ rights to manage who has access to their personal health information (PHI) emphasize the importance of covered entities remaining compliant with the law and the possible penalties that could result from non-compliance. Although those are important factors, patients may not understand where and how they fit into the picture. Karin Zaner, director and attorney at Kane, Russell, Coleman & Logan PC, in Dallas, Texas, says patients often think they will be entitled to financial compensation via a lawsuit, but that is actually an unlikely outcome.

Her office fields regularly calls from patients who claim doctors’ offices have allowed unauthorized access to their medical records. Zaner primarily represents physicians, but feels it is important that everyone involved understands the provisions of HIPAA, including patients, staff members and clinicians themselves.

It is unlikely that patients will be able to recover financial damages, according to Zaner. “Damages must be tied to the [unauthorized] disclosure itself,” she says. For example, if a physician’s office disclosed a person’s HIV-positive status, and then the person lost his job as a direct result of the disclosure, there is a possibility the patient could show causation and be able to recover damages.  In the hypothetical scenario of the school staff learning about the patient’s hepatitis C status, the patient doesn’t’ suffer financial loss.

Money aside, there are other ways that patients can make “life very uncomfortable for the physician,” says Zaner. The patient may have the attitude “I don’t want any money, but I want people to know,” she adds. For example, the angry patient may choose to make a report to the U.S. Department of Health and Human Services (HHS). That complaint will be reviewed by someone, and could rise to the level of an investigation. Depending on the outcome of an investigation, there may be penalties or even federal charges.

Another result of patient complaints could be action by the local and/or state medical board. In Texas, where Zaner practices law, the medical board may fine, publicly reprimand or even suspend or revoke a physician’s license if they find that the patient’s complaints are valid. “It doesn’t mean [the patient] will come away with a big payday, or a lawsuit, but there can be consequences,” says Zaner. 

The best thing to do is to make sure that everyone on the staff understands the provisions of HIPAA, have a designated privacy officer, perform regular internal audits and make every effort to follow the letter of the law. However, if there is a mistake of some kind, Zaner advises fixing it as quickly as possible. Doing so could appease the patient, and should an investigation occur, it’s best to be able to demonstrate what has been done to correct the problem.

“Make sure that when an error is brought to your attention, you fix it as best you can,” Zaner says.