Mastering Legal Strategies with a Healthcare Privacy Attorney

HIPAA protects individually identifiable health information, including medical records, billing records, and any information that can reasonably identify you and relates to your past, present, or future physical or mental health condition. The statute covers information in any form: paper, electronic, or oral. Covered entities must implement administrative, physical, and technical safeguards to prevent unauthorized access or disclosure. Violations can result in civil penalties and, in cases of willful neglect or intent to obtain private information for unlawful purposes, criminal liability.

New York law often provides protections broader than HIPAA. For example, the state's breach notification law requires entities that maintain personal information to notify individuals if their data is compromised. Additionally, New York recognizes common law privacy torts, including intrusion upon seclusion and public disclosure of private facts, which may apply to healthcare information breaches even when HIPAA does not. These state-level remedies can provide a pathway to damages when federal law alone does not address the violation.

Unauthorized disclosure occurs when healthcare providers, insurers, or their staff share your information with parties who have no legitimate need to know it. This might include sharing records with employers, law enforcement, or third parties without your written consent. Unauthorized access, by contrast, means someone views or retrieves your information without permission but may not disclose it further. From a practitioner's perspective, courts often treat unauthorized disclosure as the more serious violation because it exposes you to secondary harm, such as discrimination or identity theft. However, unauthorized access without disclosure can still constitute a violation under HIPAA and state law, particularly if the access was intentional or reckless.

You have the right to control how your health information is used. Healthcare providers may use and disclose your information for treatment, payment, and healthcare operations without explicit permission, but they must honor restrictions you place on disclosure. When an entity uses your information beyond these permitted purposes or discloses it to someone you did not authorize, a violation may have occurred. The distinction between permitted and prohibited use is often contested in litigation, particularly when healthcare providers argue that a disclosure served a legitimate operational or legal purpose.

The U.S. Department of Health and Human Services Office for Civil Rights investigates HIPAA complaints and can impose civil penalties on covered entities and business associates. Penalties are tiered based on the nature and extent of the violation. Willful neglect of privacy obligations carries steeper penalties than inadvertent violations. Notably, HIPAA itself does not create a private right of action, meaning you cannot sue directly under HIPAA; however, state law remedies and common law torts often fill this gap. In New York, for instance, you may pursue claims under state privacy tort law or seek damages under the state's breach notification statute.

In New York state courts, privacy claims often require early documentation of when you discovered the violation, what information was compromised, and how you were harmed. Courts may limit damages if you delayed in reporting the breach or failed to mitigate harm, such as by not placing fraud alerts on credit reports when identity theft was a risk. Delayed notice to the court about the discovery of a violation or incomplete documentation of the breach can affect remedies available at trial, particularly when the violation occurred months or years before you filed suit. As counsel, I often advise clients to preserve all communications from the healthcare provider, breach notifications, and records of any steps taken to address the harm, as these documents form the evidentiary foundation for claims.

Filing a complaint with the Office for Civil Rights does not require an attorney and does not cost you money. The agency investigates whether a covered entity or business associate violated HIPAA and can impose penalties or require corrective action. Similarly, you can file complaints with your state's attorney general or health department if you believe a healthcare provider violated state privacy law. These administrative channels do not directly compensate you but can result in systemic changes that protect other patients and create a record of the violation.

State law claims, including intrusion upon seclusion, public disclosure of private facts, and violations of breach notification statutes, may allow you to recover damages directly. You can also pursue claims related to related practice areas such as biometric privacy violations, which often involve healthcare contexts where biometric data like fingerprints or facial recognition is used without consent. Damages may include compensation for economic harm, medical monitoring costs, and emotional distress. Courts consider the sensitivity of the information disclosed, the foreseeability of harm, and the defendant's conduct when calculating damages. Statutory damages under state breach notification laws provide a floor for recovery even when economic harm is difficult to quantify.

Beyond remedies for past violations, you can take steps to prevent future harm. Request that your healthcare provider place restrictions on your health information, limiting who may access it and for what purposes. Review your medical records regularly for unauthorized entries or access logs. If you learn of a breach, document the date you were notified, what information was compromised, and any steps the entity took to address it. Additionally, consider whether your situation involves advance healthcare directives or other planning documents; reviewing your advance healthcare directive ensures that only authorized individuals can access your health information in medical emergencies.