Examples of HIPAA Privacy Violations – More HIPAA Lawsuits Coming?

I found a list of a number of Privacy Violations. The list is quite outdated since it’s latest case was in 2002, but I thought that many of the examples could just as easily apply today. In fact, with computers it makes many of the cases much easier to accomplish and easier to track misdoing. Does that mean we are going to have more HIPAA lawsuits coming? I think it’s only just a matter of time.

Does EMR affect this? Probably not directly, but indirectly many of these cases could be related to your use of an EMR system.

Here’s 2 examples that I found quite interesting from the HIPAA privacy violations article:

# A psychiatrist from New Hampshire was fined $1,000 for repeatedly looking at the medical records of an acquaintance without permission. Because there was no state law making it a crime to breach the confidentiality of medical records, the case was brought under a law against misusing a computer. (“Psychiatrist Convicted of Snooping in Records,” The Associated Press State & Local Wire, May 5, 1999)

# A jury in Waukesha, Wisconsin, found that an emergency medical technician (EMT) invaded the privacy of an overdose patient when she told the patient’s co-worker about the overdose. The co-worker then told nurses at West Allis Memorial Hospital, where both she and the patient were nurses. The EMT claimed that she called the patient’s co-worker out of concern for the patient. The jury, however, found that regardless of her intentions, the EMT had no right to disclose confidential and sensitive medical information, and directed the EMT and her employer to pay $3,000 for the invasion of privacy. (L. Sink, “Jurors Decide Patient Privacy Was Invaded,” Milwaukee Journal Sentinel, May 9, 2002)

My biggest comfort with HIPAA is that it doesn’t seem like they are really out headhunting. If you are an honest person who makes a bad choice then HIPAA is kinder to you then those that blatantly misuse the information. However, in our sue happy world that might be changing.

About the author

John Lynn

John Lynn

John Lynn is the Founder of HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • i think and its only my opinion that hipaa is a great idea because this way people will know that the info about they is safe

  • Question if a doctor sends your account to a collection and they post this on your credit report is this in violation to the law?

  • I requested my EOB from my primary medical group insurance so I can submit to my secondary insurance so they can pay for my medical services ,and when I recieved it , I did not just recieve my information for the services I had done , there was also information with names and services done to other patients along with my information, is this a hippa violoation?

  • As to the #3 comment from Maria, YES, it was a violation. If you have ever received a mis-directed fax in which patient information is listed, that is a violation of HIPAA as well. Providers have a responsibility to verify current phone and fax numbers before giving out information, especially when faxing medical records. The disclaimer that is routinely included does not mean that the fax meets HIPAA requirements for records transmittal.

    The record Maria received should have been redacted.

    I really think that the possibility of misuse and abuse of the emerging EMR technologies is going to be a nightmare of HIPAA violations. Whether or not they are prosecuted remains in the hands of HHS.

  • I was at an Emergency Room and was treated with very little regard. I then complained to the director of er and was told that she had showed my chart to the nurses involved to get their thoughts. Is this not a Hipaa Violation, couldn’t this have been handled with the nurses seeing the chart without the name. They knew what they had done.

  • lisa,
    I’m not a lawyer and so I can’t give legal advice. I’d suggest consulting an attorney to get an official answer. I think it also depends on the state too.

    However, to me it seems like poor business practice more than a HIPAA violation. The nurses had already seen your name and the information and so it wasn’t exposing them to anything new. They have all signed HIPAA privacy agreements and you could pretty easily argue that they needed to see the information to know how to answer the director’s question.

    Does sound like a poor business practice though. From the little information given, it sounds like the director could have done a better job.

  • LISA – Not only is this not a violation of HIPAA, it would in fact be a normal business practice. When the Director goes to talk to the involved staff about a concern raised by a patient, the staff are not going to be able to respond unless they remember who the patient was and the circumstances of the visit. Given the busy-ness of a typical ER, you may have been just one of hundreds of people seen that week.

  • I requested copies of my hipaa releases because I was suspicious about a therapist our family was using, and her unethical behaviors during our treatment with her. I do have a complant pending at the DOH for other matters regarding her. Anyhow, In reviewing the Hipaa releases, I noticed one was “signed” by me on 3/14/05, with entities names written in, in different handwriting, different pen, names of people we had not even met yet. They were people from my daughters high school. On 3/24/05 she was not even in high school yet. She was 13 in the 8th grade on that date. Further more, we did not even begin family therapy until 11/25/05 with this therapist. She altered an authorization after I had signed it, on an old release I had signed for the same facility some months before treatment began with her. What do I do about this? She discussed our therapy wth the school without a valid authorization, and it has caused significant damage, and psychological distress and anxiety. It has gotten so that I cannot even show my face at my child’s high school. I am so embarassed by this.

  • Jennifer,
    Since I’m not a lawyer I really can’t give you legal advice. Plus, even if I was a lawyer, I probably wouldn’t give you legal advice over the internet. However, knowing the types of securities we place on our patient’s information and disclosure it sounds like you have a case worth talking to a lawyer about. Maybe an interested lawyer will see your comment and I’ll put them in touch with you if they express interest.

    Best of luck. It’s unfortunate when private information is shared.

  • Hello,

    My employer had a medical release by me with specific dates of release 10/23/08-10/31/08. My employer advised me that they left a message for my doctor on 10/30/08, and spoke to my doctor about my condition on 11/4/08. I need clarification if this is a violation of HIPPA, since my doctor and employer spoke after the dates outline in my medical release, or is it within HIPPA regulations because my employer initiated the phone call prior to the expiration date. Also, why would my employer wait til almost the last minute to phone my doctor when they had the release for 7 days. Thoughts?

  • Arcy,
    You’ll have to consult a lawyer for a specific answer to your question. Some of those details are dependent on state laws and things. Plus, I’d be hesitant to offer any sort of legal advice online like this. Especially since I’m not a lawyer and I can’t offer legal advice.

  • I have a question. I requested my records from a state hospital (NY). I was told that to VIEW the records there was a $25 per hour fee. I told them that the HIPAA guidelines forbid charging a “viewing fee” and was told that state law trumps the HIPAA policy. I cant get anywhere, any suggestions?

  • Tim,
    Of course, I’ll put out the mandatory disclaimer that I’m not a lawyer and I know nothing about NY. Talk to a real lawyer for legal advice.

    I can tell you that we’ve had to deal with one issue in our clinic where the state law was different and more specific than HIPAA. So, our lawyers advised us to go with the stricter of the 2 laws which was our state law. I guess that might mean that it could be the same in NY.

    Crappy part is that consulting a lawyer on the subject will cost you more than just paying the viewing fee.

    Best of luck. I’m sorry that I’m not more help. My expertise is more with technology and implementing technical components according to HIPAA standards.

  • I have a question i would like to have answered or tell me which direction i need to go from here.
    Last week I received an envelope from a large company in ft worth. I am at least 400 miles from Ft Worth and know no one at that company. Inside the envelope was a DETAILED billing along with ss#, birth dates AND a copy of my insurance company’s check stub with not just MY insurance info but 2 other people as well. In the middle of the detailed bill was a sticky note that said: Not a Ben E Keith Co employee. I contacted them and they said they are not sure why they got it but mailed it to me as my name and address was on the detailed bill. I then contacted the hospital that sent it to Ben E Keith company and was assured that i would hear back from them the next day. A week went by and all i received from them was a bill saying my ins had not paid until today–when i received a very lack-luster “apology” from the regional privacy officer.
    The “apology” was written on Friday and not mailed out until yesterday.
    I am very very upset with them. At this point not only have they violated my Hippa rights they have also placed me at risk of identity theft and insurance fraud theft. What do you suggest I do now?

  • lori,
    Sounds like it would be worth your while to talk to a lawyer and see what recourse you have. Each state has different laws and I’m not a lawyer, plus without all the details of the case it would be hard to say. However, it sounds like it would be worth seeking out some legal council.

  • Is it a Hipaa Violation, if I was a patient at the hospital i work at and my nurse who is also a co worker told other coworkeres in the hospital who were NOT involved in my care, how and what was wrong with me along with how i was as a patient and she also so falsely charted in her patient notes about my hourly activites.I got a printed medical history of my time at the hospital, and so i found out all of this, and also about what she said to other co workers. Would this be a violation? I intend on talking to my lawyer next week.

  • Bella,
    Good idea to consult your lawyer. If that doesn’t work well or if it’s too expensive, you might also contact the hospital’s privacy officer. They are usually pretty good at these types of things.

  • If a patient heard a doctor telling another patient’s family that the cancer had spread to the adjacent organs. The doctor was speaking in a low tone in a corner of the hallway. Is this a privacy violation?

  • Ginelle,
    I prefer not to give specific advice on what’s a HIPAA violation or not on this website. That’s best done by a lawyer who can investigate all the intricacies of a certain situation. I mostly try to focus on various HIPAA violations that have been in the news and leave the legal stuff to lawyers. I know that’s not much help, but if you’re concerned you might want to consult a lawyer.

  • I retained an attorney for a personal injury. The attorney’s release of information form was not HIPAA compliant as I recently found. Additionally, the attorney had duplicated a form I signed and sent copies around to various doctors (not mentioning why he requested them) just to get my medical records. My tests such as pap smears, mammograms, etc, and other confidential matters and records even from other doctors were sent to the attorney. My doctor gave him any records she had relative to my medical care. Inturn, the attorney released everything to the other attorney. Now I find the release form was not HIPAA complaint? What good is HIPAA and any violations if nothing can be legally done? To me HIPAA means nothing as there is no protection for a person’s medical records or information. I received a letter from CIVIL RIGHTS stating that the form was not HIPAA compliant? but the doctors office released my records anyways? The truth is that nothing can be done legally anyways even though my rights were violated!

  • Hi, I’m a nursing student doing a class project related to HIPAA. We’re trying to find out if taking pictures of patients, specifically of existing wounds on hospital admission, and of wounds acquired duing a hospital admission, is a violation of HIPAA, or if it is covered as part of the medical record. If you have any input, it would be greatly appreciated.

  • Rachelle,
    Don’t take anything I say as legal advice since I’m not a lawyer. However, for a class my advice is pretty good.

    You can take pictures of a wound. In fact, many people including ourselves do it. In our case we especially do it for sexual assaults so that they have evidence should they need it.

    In our case, we do require them to sign a consent for photo which basically gives us permission to take their picture. I’m not sure if this is legally necessary or if we’re just covering our backside, but seems like a good idea to me regardless.

    So, it is not a violation of HIPAA to take the picture. it would be a violation of HIPAA if we released it to people without the patient’s consent.

    I believe a picture is considered protected health information (PHI) and so it is part of the medical record and would be covered by the same privacy requirements as other PHI.

    In our case, we attach ours directly in the electronic medical record so it is protected and secured by the electronic medical record.

    I hope this helps.

  • Hey, I have a quick question… I was admited to the hospital, had some personal issues arise and didn’t dicuss it with anyone. Last night a good friend who has no contact with the hospital sent me a message wanting to know if I had something going on? I know this information came from a nurse that may or may not have been on duty when I was admitted. I know this nurse told her why I was admitted. I’m very upset, what recourse do I have?? I know she told my personal health information to my friends.

  • ALR,
    As you can see above, I don’t really give specific legal advice. I’ll leave that to lawyers. I did recently come across a health care attorney on Twitter. I don’t know her very well yet, but from what I’ve read she seems to know what she’s talking about. You can find her: http://www.healthlawoffices.com/

  • Recently our facility started doing shift change reports at the patients bedside. Our rooms are all semi-private, and members of both patients familys are often present. Is this activity a violation of HIPPA policy?

  • When going through training at a Fortune 500 company, the trainer disclosed openly my medical disability to supervisors when introducing me to them. There wyers, correct?
    were other ADA violations aswell. I know EEOC will be contacted, but where else can I go to for help since HIPPA and ADA would be handled by two different types of la

  • Mary,
    I could be wrong since I’m not a lawyer and can’t give legal advice, but my understanding is that HIPAA wouldn’t probably apply in this case since you’re employer isn’t a healthcare professional (unless you’re an employee at a hospital or something). Seems like the ADA violation and EEOC are the best ways to go.

  • i work at a medical center in plant services, as a part of my job via work order i am asked to retrieve patient folders from a storeage area to carry back to the oncology department for their review. I am given only the name and date of birth of the patient to locate these folders. Am I in violation of any hippa rules by performing this requested task?

  • Jeffrey,
    Have you gone through a HIPAA training and signed a form saying that you’ll abide by HIPAA guidelines? If you have, then I don’t see a problem with it. You work under the same company and if you’ve learned and signed an agreement to abide by HIPAA, then it should all be fine.

    For example, in my case, we make everyone that has access to our server room go through the HIPAA training and sign the HIPAA forms. Just better to be safe than sorry.

  • Generally speaking, do Free Clinics have to abide by HIPPA reglulations? Not interested in filing any lawsuits here….Reason I ask is that my mother is uninsured and has to recieve her health care at a local free clinic, staffed mostly by volunteers. I accompanied her last week to pick up her medications, and the window attendant asked my mother questions about her blood sugar levels, blood pressure and bowel habits in front of a crowded waiting room. This is common practice at this particular clinic. My mother is fairly timid, and does not want to ’cause a bigger scene’ or risk retaliation, so I ask sheerly out of morbid curiosity. Any input will be appreciated.

  • Crystal,
    I’d say they would need to follow HIPAA if they’re a health care organization. Might not do as well with a sympathetic jury, but they if they are healthcare providers they’re still governed by the same laws I believe.

  • I live at home with my mother and I was under her medical insurance until April 2008. I still go to that doctor, but they have since made several errors and billed her insurance instead of mine. Once we finally got that nightmare resolved, this happened:

    I just went to the doctor to get some medical tests and everything done. A bill was sent to my home with an itemized list of every procedure and test that was ran. It said I was the patient, charged MY insurance, but the bill was sent and addressed to my mother. When I called to complain, they said it was some sort of clerical error with the correspondence. I still feel like my rights were violated because my medical information was sent to my mother without consent. Whether it was a harmless error or not, I’m still pretty upset about it.

    Does anyone have any advice on what I should do? Does it sound like my rights were violated and I have grounds for a lawsuit, or should I just let it go?

  • Erin,
    You’ll need to consult a healthcare lawyer to know about lawsuit and violations of law. However, if you didn’t have any real damages, I’d just suggest possibly calling your state health services about a possible violation. That way it holds the place accountable, but doesn’t contribute to this sue happy society we live in.

    Just my take. If there were damages to you or your family, then I’d say talk to a lawyer.

  • When we call in sick at my place of employment, a NYS health care facility, our SV insists on knowing what is wrong. When we return to work our coworkers know the details of our illness. Is this a violation of our privacy rights?

Click here to post a comment