Deanna Fei was only five and a half months pregnant when she went into labor, unsure whether her baby would live or die. At less than two pounds, her baby, Mila, was very fragile and needed extensive medical care. Thankfully, Mila received the care she needed and is now a healthy two-year-old. But a year after Fei gave birth, the CEO of AOL, Tim Armstrong, announced that employee benefits would be cut due to the high costs of two “distressed babies.”
Fei’s husband was an AOL employee and one of the “distressed babies” was their daughter Mila. When other employees started asking her husband if it was their baby the announcement referred to, Fei decided to speak out against Armstrong. She argued that singling out an individual for their healthcare costs undermines the basic principles of health insurance. After a huge response, Armstrong apologized and reversed his decision.
Fei’s experience brought attention to individual privacy regarding medical records and how insufficient the current protections are for individuals. According to the Health Insurance Portability and Accountability Act (HIPAA), health plans and other entities are not legally allowed to share medical information about their insured individuals. While Armstrong did not reveal specific names, it was obvious to employees who he was referring to. Armstrong’s actions were considered unethical – and possibly a violation of existing medical privacy law – by a number of medical and legal experts.
Medical Data is Big Business
Anonymized medical data is a multi-billion-dollar industry, and medical privacy plays a big role in this high-stakes game. For example, when IMS Health Holdings filed to become a public company, ProPublica found that the company’s revenues in 2012 reached $2.4 billion. IMS Health Holdings acquires medical data from pharmacies and sells it to biotech and pharmaceutical companies. Sixty percent of its revenues came from selling this data.
While medical data mining firms call the practice harmless claiming that the data is truly anonymous, this is not necessarily true. In many cases, the data can be de-anonymized using cross-referencing techniques that can match the data with the individual. Hackers can also breach medical records, as can workers who are manually printing files.
Can You Sue if Your HIPAA Rights Are Violated?
Technically, no – as a patient, you cannot sue for a HIPAA violation, because there is no private right to action. According to HIPAA Journal, “There is no private cause of action in HIPAA, so it is not possible for a patient to sue for a HIPAA violation. Even if HIPAA Rules have clearly been violated by a healthcare provider, and harm has been suffered as a direct result, it is not possible for patients to seek damages, at least not for the violation of HIPAA Rules.”
But that does not mean you have no legal recourse. These types of cases can often result in a HIPAA-related claim by calling the disclosures a form of medical malpractice. An example of this is when a Walgreen’s pharmacist shared patient information with her husband about his ex-girlfriend. The pharmacist thought the woman might have given her husband a sexually transmitted disease. Using private information given to him by his wife – a Walmart employee – the man confronted the ex-girlfriend via text. A jury found Walmart liable for 80 percent of the total damages of $1.44 million.
NJ courts have also recognized HIPAA violations as a type of medical malpractice; as such, plaintiffs have moved forward with claims that stemmed from violations of those privacy laws.
Can You Go to Jail for Violating HIPAA Laws?
Potentially, yes – you can go to jail for violating HIPAA laws. You can be sentenced to jail for:
- Unknowingly or with Reasonable Cause, for up to one year.
- False Pretenses, for up to 5 years.
- Personal Reasons or to Commit Fraud or a Crime, for up to 10 years.
You may also face millions of dollars in civil and/or criminal penalties.
Giving Patients More Privacy
Psychiatrist Dr. Deborah Peel founded the Patient Privacy Rights organization in an effort to address this problem. Peel recalled patients who would rather pay cash for their appointment than risk having their medical records fall into the wrong hands. Peel expressed her concern over the amount of control that hospitals and health plans have over where our data goes, and the need for a chain of custody.
Medical data can be found in unexpected places. Wearable health devices like glucometers and fitness trackers like FITBIT can store enough information for data miners to paint a detailed picture of who was wearing it. In fact, the data obtained from these types of devices is so high quality that insurance premiums can be determined based on the information. Employers often use this information to negotiate things like reduced health insurance rates and premiums if an employee reached a certain health-related milestone like walking one million steps in a year.
New Jersey Medical Malpractice Lawyers at Eichen Crutchlow Zaslow and McElroy Advocate for Victims of Medical Privacy Issues
If you or someone you love has been had your medical privacy violated, contact New Jersey medical malpractice lawyers at Eichen Crutchlow Zaslow and McElroy. We are committed to providing dedicated, aggressive legal representation and will work tirelessly to ensure that you receive the financial compensation you deserve. Our offices are located in Edison, Red Bank and Toms River, New Jersey. For a free consultation, call 732-384-1331 or contact us online.