Q&A with Karen Rieger
Medical facilities can face fines
for patient data breaches
Q: There have been recent breaches of patient data at medical facilities. What rights do patients have to the security of their medical records?
A: Many. The federal Health Insurance Portability and Accountability Act limits the ability of health care providers and insurance companies to use and disclose patient health information without the patient's authorization, except as necessary for purposes of treatment, payment and certain health care operations. Oklahoma also has a number of laws and regulations that protect sensitive health information.
Q: What recourse do they have, should that information be leaked?
A: Patients can't bring lawsuits, but violations may be reported to the Office of Civil Rights (OCR), which can impose fines and penalties on health care providers and insurance companies that violate the law. We have seen an increase in enforcement activities by the OCR over the past several years, in light of several well-publicized cases in which health information of celebrities and other high-profile individuals was inappropriately leaked. Patients also may bring a claim based upon invasion of privacy, breach of contract or other legal grounds, depending upon the facts of a particular case.