No matter how painful or egregious a health care breach might be, patients don’t have an automatic path in which to sue if their information is revealed, as there is no private right of action under HIPAA. But about 10 years ago, attorneys began to find a way to sue for damages nonetheless. Perhaps the most successful, and certainly among the first, is Indiana attorney Neal Eggeson.
In 2010, a jury awarded Eggeson’s client $1.2 million from an internal medicine practice whose billing company revealed the patient’s HIV-positive status in a debt filing in court. Four years later, he won $1.8 million from Walgreen Co. and the pharmacist who violated a customer’s privacy. Eggeson, whose practice is now solely medical privacy cases, spoke exclusively to RPP for a behind-the-scenes look at those cases and the ones that never make headlines because they are settled out of court.
In the first part of the Q&A with RPP, Eggeson expressed in concrete terms some of the harms that can result when privacy is violated, a concept that might be somewhat abstract for HIPAA officials. Among the surprises: Eggeson offered to settle his first case for $10,000, but the practice turned him down.
This issue presents the conclusion of the Q&A, in which Eggeson addresses the irresistibility of snooping, the lost promise of the HHS Office for Civil Rights (OCR), which enforces HIPAA, and the value of random, but regular, audits.
Each year hundreds of people contact you believing their medical privacy has been violated. What do you think of the state of medical privacy today?
It’s easy to become cynical when you hear 350 different variations on the same story every year. I don’t want to diminish or denigrate the HIPAA privacy rule in any way. I think, symbolically, it stands for something real and tangible, and people understand that there is a federal law out there that protects the confidentiality of their protected health information. I think most people recognize the importance of that.
I will say as a practical matter, in enforcing protections, I’m not sure the privacy rule has accomplished as much as it could. Realistically, I shouldn’t have to go through a two-year medical review panel process [as with the HIV case]. I shouldn’t have to jump through all of these hoops in order to get a privacy victim to a jury. But I have to go through two or four or six years, that sort of thing, in order to get one of these cases to a place where someone can receive compensation.
And what about the federal government’s role?
OCR is designed to be the enforcement entity for HIPAA violations. But in reality, people don’t receive compensation for what happens to them from OCR’s enforcement actions.
But they could. OCR has still never issued regulations about sharing penalties with people who have been harmed by privacy violations. It was required to by Congress in 2009.
That is as disappointing to me as it is unsurprising.
Continuing with OCR, you’ve found there is a lot of confusion among your callers as to what HIPAA covers. Should OCR undertake a public education campaign? OCR itself gets thousands of complaints for which it lacks jurisdiction, and HHS’s own advisory committee virtually begged it years ago to try and clear up the confusion.