Often, when a person finds themselves on the injured end of a car wreck, plaintiff’ personal injury attorneys know that a significant part of the pre-litigation and/or settlement process is gaining access to the medical records of their clients. Medical records are important for several reasons. For one, they provide documentation of previous injuries, thereby allowing attorneys to more effectively identify pre-existing injuries versus injuries that were sustained as a direct result of the accident in question. This is particularly helpful when it comes to proving causation. Medical records also help determine whether a pre-existing condition may have been exacerbated by the car crash. When it comes to settlement, a doctor’s record of the helps attorneys more accurately figure exactly how much money to request during settlement, or when it comes to litigation, how much money might be requested in terms of damages.
However, maintaining the medical privacy of plaintiffs is just as important as acquiring access to those records. In fact, medical providers may be held liable if such records are released without the voluntary consent of the patient. The primary way that medical providers circumvent liability is to require that anyone requesting a patient’s records first acquire the patient’s permission vis-à-vis a HIPAA form. “HIPAA” is an abbreviation for the Health Insurance Portability and Accountability Act of 1996, a law whose primary purpose is to ensure the protection of all patients’ right to medical privacy and to prevent unnecessary disclosures of medical information. In many cases, doctors, however, may still disclose a patient’s PHI (Permissive Disclosure) without consent, especially if said information is related to treatment, payment or health care operations. The Act took effect in April of 2003, and while welcomed by most patients and consumer advocacy groups, many medical providers have found it to be a pain to conform to the new privacy standards that were implemented by the rule, even today – almost a decade later.
Take, for instance, Boston-based “Massachusetts Eye and Ear Infirmary and its affiliated physician group, Massachusetts Eye and Ear Associates, a provider group that recently agreed to “pay $1.5 million to settle a HIPAA security-rule violation case.” While the settlement does not actually constitute an admission of guilt, Healthcare IT News reports that the settlement also requires the group to “take corrective action to improve policies and procedures to safeguard the privacy and security of its patients’ protected health information.” The original case resulted when, in early 2010, an unencrypted personal laptop containing the medical information of some 3,621 individuals was stolen from facility. The theft resulted in a breach for which the provider was eventually to be called responsible, which is why the resolution agreement requires the company to provide more adequate security measures in the future.
As this was an inadvertent breach, some might say that MEEI got off easy. Those who commit intentional breaches will not fare nearly as well. People who violate HIPAA can face both civil and criminal penalties, including fines and/or imprisonment for one to 10 years. Criminal penalties can be imposed on doctors that knowingly violates the Privacy Rule and/or disclose a patient’s PHI for personal gain, false pretenses, or malicious purposes, writes Vincent Iannelli, M.D., forAbout.com.
What implications does this have for personal injury cases? Ultimately, it means that when it comes to tort cases, attorneys and medical providers must work hand-in-hand to ensure that procedures for requesting and obtaining medical records are followed properly. If you or someone you know is a potential plaintiff in a personal injury case, make sure you arm yourself with knowledge of your privacy rights as a medical patient and discuss permissions with both your attorney and your medical doctor.