Privacy of medical records is a legally complex subject. Medical record privacy is governed by a patchwork of federal and state laws, industry standards, privacy practices of specific providers, contracts between medical providers and their information management providers. In addition, the degree of privacy accorded to a medical treatment record can depend on the type of treatment rendered to the patient, and where and by whom the patient has been treated.
This article is not intended to address the entire subject of medical record privacy, but is only intended to address the circumstances under which a civil action would lie for a violation of medical privacy.
Federal Laws Governing Medical Privacy
Federal laws that govern the privacy of medical treatment records include the Federal Privacy Act of 1974, which covers Federal agencies, such as the Veteran’s Administration and the Department of Defense, and the Health Insurance Portability and Accountability Act of 1996, also known as HIPAA. HIPAA applies generally to all medical providers in the United States, and imposes stringent limitations on disclosures, along with administrative and criminal penalties for intentional violations. However, HIPAA does not provide for any civil action for improper disclosure.
Some other federal laws governing medical privacy include Title II of the Genetic Information Nondiscrimination Act of 2008 (GINA), which prohibits genetic information discrimination in employment, and strictly limits disclosure of genetic testing information. In addition, the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970 makes records of drug abuse treatment and rehabilitation confidential.
These are merely a few of many Federal laws and regulations that affect the privacy of medical treatment records.
Georgia Law on Medical Records Privacy
No survey of medical privacy law would be complete without at least a brief discussion of the tort of invasion of privacy. Georgia was the first state to acknowledge judicially the existence of a legally enforceable right to privacy. In the context of violations of medical privacy this usually means that one can maintain a civil action for damages for the public disclosure of embarrassing private facts against a medical provider or other party with an obligation to maintain privacy.
Violations of medical privacy can also give rise to negligence claims. As noted above, HIPAA does not provide for civil actions to recover for violations, but in some states the courts have accepted that HIPAA regulations provide the standard of care for protecting medical information, and that a medical record disclosure in violation of HIPAA gives the injured party a negligence claim.
Genetic Testing Information
Outside the context of testing to determine paternity or in criminal cases, genetic testing information may only be used for therapeutic or diagnostic purposes. The testing results may only be disclosed to the individual tested and those whom he designates to receive that information. In the event that an insurance company uses genetic testing information in violation of the law they are subject to a claim under the Fair Business Practice Act of 1975.
Georgia Law on Mental Health Treatment Records
For decades now, Georgia has had a strong public policy against the unauthorized release of mental health treatment records. Georgia has statutorily recognized psychologist-patient communications to be confidential since 1951. In 1995, the scope of Georgia’s privilege was statutorily expanded to cover confidential communications between a patient and a licensed clinical social worker, clinical nurse specialist in mental health, licensed marriage and family therapist, and licensed professional counselor. In light of that expansion, it is appropriate to refer to the privilege as the “mental health privilege.”
Protecting confidential mental health communications from disclosure serves an important private interest and a public interest. As far as the individual patient’s private interest is concerned, confidentiality is an essential for successful psycho-therapeutic treatment since a psychotherapist’s ability to help a patient is completely dependent upon the patient’s willingness and ability to talk freely, and assurances of confidentiality and privilege foster the psychotherapist’s ability to function. In the case of Kennestone Hospital v. Hopson, 273 Ga. 145, 148, 538 S.E.2d 742 (2000), Justice Fletcher of the Georgia Supreme Court observed that
The purpose of the privilege is to encourage the patient to talk freely without fear of disclosure and embarrassment, thus enabling the psychiatrist to render effective treatment of the patient’s emotional or mental disorders.
Since “[t]he mental health of our citizenry … is a public good of transcendent importance[,]” the privilege serves the public interest “by facilitating the provision of appropriate treatment for individuals suffering the effects of a mental or emotional problem.”
Limited Disclosures of Medical Records or Information
In Georgia, disclosures of medical information made pursuant to laws requiring disclosure or pursuant to limited consent to disclosure do not destroy the privileged or confidential nature of those records. Those who receive confidential or privileged medical matter pursuant to legally required or limited consensual disclosure may only use them for those purposes and must otherwise keep them confidential.
What to Do If You Believe Your Medical Privacy Has Been Violated
If you believe your doctor or a hospital has violated your medical privacy rights, but you don’t know what to do, there is good news. There are simple steps you can take to begin addressing the violation of your medical privacy rights.
First, you may want to file a complaint with Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS). This is the U.S. government agency responsible for investigating HIPAA violations and enforcing HIPAA regulations. You can read about the complaint process here. And you can file a complaint online with the Office of Civil rights here. Be aware that there is a time limit of 180 days from the date your medical privacy was breached, after 180 days have passed OCR has no obligation to investigate. If more than 180 days has passed, you may still want to file the complaint anyway; even though OCR has no legal obligation to investigate a complaint made after the deadline, a complaint places OCR on notice of a potential HIPAA violation that it can take into consideration if there are future violations by the same medical provider. Keep a copy of the complaint for your records and for an attorney, should you hire one. You will be contacted by OCR and notified that their investigation has begun and then you will be notified when the investigation is complete. Once the investigation has been completed, you will know if OCR found that a violation has occurred and what action they have taken against that medical provider.
Second, you should write out your complaint in a letter or an email and send it to the medical provider or hospital that violated your HIPAA or medical privacy rights. By law, every medical provider who must comply with HIPAA’s protected health information regulations must designate a person or office responsible for receiving HIPAA and medical privacy violation complaints. The identity of the privacy officer and the contact information for a privacy complaint can be found in the Notice of Privacy practices posted on the provider’s website. Once a medical provider is notified of a complaint, it must investigate, and notify HHS, any affected individuals whose privacy may have been breached, and sometimes the media. This is required by something called the Breach Notification Rule. Keep copies of any complaints you write, any emails you send or receive related to the complaints, and any letters or documents you may receive from any entity regarding their investigations.
Before you contact a lawyer, take these two steps and you are well on your way to protecting your rights. Your actions can prevent violations like this from happening to you and other people in the future.
If you believe that your medical privacy or HIPAA rights have been violated then call us at 912-401-0121, or contact us here.