HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

No Action Over Patient Privacy Violation Due to HIPAA Loophole

Recently, a New Jersey lawyer discovered that confidential information classed as Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) is not necessarily kept private by providers of healthcare services.

Under certain circumstances, the holder of those data may disclose the information publicly without penalty, as recently happened in his case. The lawyer had received treatment for mental health issues at Short Hills Associates in Clinical Psychology between 2012 and 2014. Some of the meetings had not been paid for, and Short Hills Associates filed a lawsuit for non-payment of $4,400 last year.

Short Hills Associates is within its rights to take legal action against individuals who do not pay for chargeable medical services; however, in the lawsuit the organization listed the lawyer’s diagnosis and services he had received. That information was detailed in publicly filed court documents.

HIPAA does permit the disclosure of PHI under certain circumstances, but this should be limited to the minimum necessary information for a transaction to be performed. It may be necessary for some information to be disclosed in court documents to substantiate a claim against an individual, but the disclosure of a diagnosis would appear to have been unnecessary.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

While this would appear to be a violation of HIPAA Rules, the Department of Health and Human Services’ Office for Civil Rights disagreed.

The lawyer filed a complaint and was informed by OCR’s Rachel Seeger that his complaint had been closed with no action taken. The reason given was that Short Hills Associates in Clinical Psychology was not a HIPAA-covered entity.

HIPAA covers organizations that transmit health data in connection with transactions for which OCR has adopted standards, but this applies to electronic data only. Since Short Hills Associates does not use electronic data, it falls outside of HIPAA regulations.

According to a statement released by the lawyer, the disclosure of his PHI “turned my life upside down.” He is now countersuing the practice, as well as its debt collection lawyers for breaching the psychologist-patient privilege and violating his privacy. The lawyer is also attempting to sign up other individuals who have had their privacy violated and add their names to a class-action suit against Short Hills Associates.

According to a recent investigation by ProPublica, Short Hills Associates in Clinical Psychology has taken action against 24 individuals for unpaid bills. In each of those cases the patient’s name has been recorded in court documents along with treatments that have been provided and diagnosis codes. Those diagnosis codes are used by the American Psychiatric Association and can be found in the Diagnostic and Statistical Manual of Mental Disorders. Anyone wishing to determine a condition listed in court documents could easily look up the diagnosis codes.

While OCR may lack jurisdiction to take action in such cases, state laws may offer individuals greater protection. HIPAA is only a minimum standard. States are permitted to introduce laws that increase protection for healthcare patients.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.