Then and now, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) sought to “… improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery …” and a myriad of other significant objectives. See P.L. No. 104-191, 110 Stat. 1938 (1996), at Preamble. But, it was not until 2003 that meaningful, national standards were released to govern the use and disclosure of protected health information (PHI). See HIPAA’s Privacy Rule at 45 C.F.R 164.500. The obligations of a HIPAA Covered Entity or its Business Associate and a patient’s right to access healthcare records, bills, or even an itemization of disclosures of PHI are contained in HIPAA’s Privacy Rule.
HIPAA is justifiably a topic of extensive legal analysis. It can be likened to a patient gateway for consumer review, inspection, and receipt of PHI under the penumbra of privacy and confidentiality. Even though HIPAA lacks a private right of action for consumers to invoke as a means of protection against the unlawful actions of a Covered Entity or its Business Associate, some consumers are turning to the civil court system and seek protections under state-based tort law claims. In addition, the failure to comply with HIPAA could result in enforcement by the U.S. Department of Health and Human Services’ Office for Civil Rights, the Massachusetts Attorney General’s Office, the Massachusetts Board of Registration in Medicine, or other grievance mechanisms that a disgruntled patient might initiate.
I recently presented at a Massachusetts Bar Association | Health Law Section event in Boston regarding “HIPAA Privacy and the Omnibus Rule: Accessing Medical Records.” (Kindly click on the link to my PowerPoint presentation.)
Lorianne M. Sainsbury-Wong MBA Health Law Section Council, Chair
Litigation Director & Compliance Atty. healthlawadvocates
One Federal Street Boston, MA 02110 617-275-2987 (fax) firstname.lastname@example.org