Violations of the Health Insurance Accountability and Portability Act are serious business, but they may not be sufficient grounds to sue violators, absent other circumstances, according to a decision just reached by a federal judge. A plaintiff in Washington, DC had charged that LabCorp left her protected health information (PHI) in plain sight at a local hospital, where it could be viewed by others not authorized to see it. That has been accepted as fact and was never in dispute, but the judge ruled that while HIPAA provides both civil and criminal penalties for improperly handled or disclosed PHI, the statutory language limits enforcement to actions by the Department of Health and Human Services (HHS) and states’ attorneys general—not private citizens or patients, in other words. So when it comes to protection of PHI under HIPAA, the overriding guidance is “no harm, no foul.”
Published on
Upheld: HIPAA Violations by Themselves Are Not Ample Grounds to Sue