HIPAA and Health Information Breaches

Data breaches that expose your private health information can be particularly damaging. If someone steals your credit card information, you can always cancel the card and get a new one. You can’t do that with your medical history.

Your medical records also contain sensitive information about you. You may not want people to know about treatments you’ve received or conditions you have. That information could hurt your chances to get certain jobs or insurance.

Health information breaches can also expose other information useful for identity theft. Your medical records can contain your address, social security number and financial information.

According to the National Cyber Security Alliance, in 2016, there were 450 data breaches that exposed the private health information of 27 million Americans.

A federal law commonly referred to as HIPAA protects your rights and sets rules for health care providers and insurers to follow in protecting your privacy.

HIPAA is the acronym for the Health Insurance Portability and Accountability Act, signed into law in 1996. This law gives you the right to view and receive a copy of your personal healthcare information, but it also limits who else can see, collect or use your information.

The HIPAA privacy rule requires health insurers, most health care providers and organizations that process health information to protect the privacy of your health information. This includes any information that doctors, nurses or other people put in your medical records. It also includes any conversations or other communications they have about your condition or treatment.

Your personal and billing information stored by your health care provider or your health insurer is also protected. Hospitals, insurers, doctors and others may face fines if this information is disclosed or breached.

HIPAA requires anyone who handles or stores your digital health information to protect it with passwords, encryption or other technology. But there are several ways a data breach of medical records can happen.

The all-time largest health information breach was the 2015 spear phishing attack on Anthem, a licensee of Blue Cross and Blue Shield. The attack exposed tens of millions of patients’ records and cost the insurance company more than $130 million in penalties and settlements.

Spear phishing, used in the Anthem cyberattack, involves sending emails that appear to be from a trusted sender — often someone in the same company. When an employee clicks on a link or attachment in the email, the scammers gain access to the company’s network.

But some breaches are less sophisticated.

In 2015, medical records company Filefax reported it had potentially exposed the personal health information of 2,150 people after medical records were left in an unlocked truck in its parking lot.

The University of Texas MD Anderson Cancer Center reported a breach after the theft of a center-owned laptop from an employee’s home and the loss of two thumb drives. The devices contained the personal information of more than 33,000 people.

It doesn’t take a breach of thousands of patient records to be harmful. Sometimes a leak that affects just one or two people can have serious consequences.

This can happen when a doctor, nurse or other health care worker shares a patient’s medical information without their permission.

There have been cases where health workers posted patients’ lab results to social media. A New Jersey hospital worker was accused of leaking medical records of an 11-year-old’s suicide attempt to people at his school. As a result, the boy’s peers bullied him.

In 2013, a Florida nurse found records showing that a relative had secretly given birth and put a baby up for adoption. She shared the information with family members.

Leaking a single patient’s medical information can have serious consequences. The nurse in Florida was fired and forced to surrender her nursing license.

A medical group was sued when it took a patient to court over a $326 debt. In the public court filing, the company mentioned that the man had been diagnosed with HIV. The man was able to get the court record sealed and a jury awarded him $1.25 million.

Most attention surrounding HIPAA privacy violations goes to large breaches that reveal a lot of people’s personal or medical information — and there have been quite a few of them. The U.S. Department of Health and Human Services has a long list on its website of agreements and penalties it has won and collected from major health care providers, going all the way back to 2008.

The largest was a $16 million penalty that insurer Anthem paid in October 2018. It was one of 11 settlements or judgments that HHS’s Office of Civil Rights collected from companies that breached HIPAA privacy that year.

In addition to the penalty Anthem paid to the federal government, it paid another $115 million to settle lawsuits filed by people who had their information exposed.

HIPAA lets you send your health information to anyone you want. This can be helpful if you are sending it to a trusted family member or another health care provider.

However, you should be careful storing or sharing your health information on a mobile app, on your computer or with other people. Once you share it, your health care provider is no longer responsible for its security.

HIPAA only requires that health care workers, institutions and health insurance-related industries protect your medical privacy. If you share your health information with anyone else, they may not be covered by the law. They could share your information without fearing penalties or prosecution.

New health-focused phone apps are showing up almost daily. But HIPAA privacy protections don’t cover a lot of them. It’s important that you read any privacy policy before downloading and using a health-related app.

There aren’t a lot of federal regulations on what an app maker can do with your health information once you upload it. In many cases, it may be legal for the app maker to sell, re-purpose or share your information with others.

If you think your health information has been compromised, you should contact your insurance company or health care provider. You can also file a complaint with the Office for Civil Rights in the U.S. Health and Human Services Department, or by contacting the Attorney General’s Office in your state.

If the company or person responsible for exposing or sharing your health information is not covered by HIPAA, you may be able to file a complaint with the Federal Trade Commission.

You may also be able to file a health information breach lawsuit. Patients can’t sue directly for HIPAA violations. But you may be able to sue under other laws for the damage that a breach causes you. Talking with a lawyer who specializes in privacy issues could help you decide if you have a case.