A HIPAA Privacy Notice A Day Keeps The Doctor Away (And Out Of Trouble)

 |  Share

Out-of-focus in the background, a doctor sits at their desk while using a laptop. In-focus in the foreground, a stethoscope lays face down on a piece of paper. there are several medical symbols above the stethoscope superimposed onto the image

The start of 2023 has brought with it significant changes to data privacy – new state laws concerning data privacy came into effect January 1 (the California Privacy Rights Act and the Virginia Consumer Data Protection Act), and other privacy laws are slated to become effective later this year (the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act). These new state laws add to the complex mesh of laws, regulations, and acts that govern data privacy in the United States. But despite this recent focus by legal commentators on new trends in state privacy laws, U.S. businesses should not forget that they are subject to core federal data privacy laws as well.

Compared to the unified data protection laws that govern data privacy in other foreign jurisdictions — such as the European Union, where the General Data Protection Regulations (“GDPR”) provide comprehensive and aligned oversight over data — U.S. businesses handling personal data and information of individuals must navigate separate disparate, and sometimes conflicting, laws. However, without a comprehensive federal law that pre-empts state data privacy regulation, U.S. businesses must determine whether they are subject to a variety of federal, state and local privacy-related laws with industry or function-specific applicability.

Failure to comply with privacy laws can result in costly administrative action, litigation, and fines and penalties. For example, the Office of Civil Rights (“OCR”) released a statement on January 3 that the U.S. Department of Health and Human Services had reached a settlement with Life Hope Labs, LLC (“Life Hope”), a Georgia-based full-service diagnostic laboratory, for alleged violations of the right to access under the Privacy Rule promulgated under the Health Insurance Portability and Accountability Act (“HIPAA”) by not providing requested medical records in a timely manner to a decedent’s personal representative. [1] HIPAA and its Privacy Rule set a federal standard that regulates how healthcare providers and health insurance companies collect, protect and share sensitive health information. This “protected health information” encapsulates individually identifiable health information, like medical records and other data related to an individual’s “past, present or future physical or mental health or condition” and “provision of healthcare”, that is subject to the various safeguards, protections, and rights.

In some instances, protected health information may be disclosed without an individual’s consent without violating the Privacy Rule. For example, if disclosure is related to the treatment, payment, or healthcare operations, or if related to legal action, the Privacy Notice may permit healthcare providers to share protected health information under certain circumstances. Accordingly, healthcare businesses should make sure that they provide clear notice of their protected health information processes and practices to their patients (and their representatives). Similar to user agreements (like Terms & Conditions and Privacy Policies) used by businesses to protect themselves when interacting digitally with consumers under other privacy laws, a HIPAA Privacy Notice is a critical document healthcare providers are required to create and maintain.

Although the scope of the Privacy Rule — protecting health information – is relatively narrow in scope, the coverage of businesses subject to the Privacy Rule — a “covered entity” — can be broad. Not only are businesses such as healthcare providers (e.g., hospitals and clinics) and health plans (e.g., individual and group health, dental, vision, and prescription drug insurers) subject to the Privacy Rule, but so are healthcare clearing houses (e.g., third-party billing services, repricing companies, community health management information and value-added networks) and other “business associates” of any covered entity (e.g., internal business services such as accounting, legal, data aggregation, administrative, management, and other similar functions). Moreover, if you electronically transmit health information, you may be subject to the Privacy Rule even if you don’t directly provide health services.

But in addition to restricting the transmission of protected health information, the Privacy Rule also requires, in certain situations, the transmission of protected health information. Generally, individuals have the right to obtain a copy of their protected health information, make changes to their protected health information, request additional restrictions on the disclosure of their protected health information, request an accounting of the disclosure of their protected health information, and appoint a representative to handle their protected health information. The Life Hope settlement resolved a federal investigation of an incident where Life Hope failed to timely provide medical records to the personal representative of a decedent — a violation of the right to access under the Privacy Rule. It is important to understand that the resulting penalty is for a failure to share, as opposed to a failure to prevent sharing, of protected health information.

HIPAA is not the only law that dictates the disclosure of health information — the right to access under the Privacy Rule is similar to rights of individuals under other data privacy laws and regulations at the state level. State data privacy acts generally provide state residents with the right to access their data, including their health information. However, certain states also provide residents with the right to delete their data, while California, Colorado, and Virginia provide their residents with the right to correct their data. In the event a state law conflicts with and is more stringent than a provision of the Privacy Rule, the state law will typically control (and when neither conflict with one another, the covered entity must comply with both) — meaning healthcare businesses and their business associates need to understand what data privacy laws they are subject to and how those laws might conflict and/or may take precedence over each other.

Navigating the mesh of data privacy laws can be complex, but the investment to ensure that your user agreements and privacy notices are up-to-date, complete, and accurate can spare your business significant penalties. As we’ve seen, the cost of non-compliance can be significant. Not only did Life Hope have to pay a settlement, but the company also agreed to implement an action plan to correct its deficiencies, including developing and maintaining written policies and procedures within 60 days, training its workforce, and providing annual reports of its compliance with the Privacy Rule. [2] An unexpected expense of defending and settling an enforcement action, plus the cost to implement corrective actions, can be a significant setback for companies.


This DarrowEverett Insight should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This Insight is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal question you may have. We are working diligently to remain well informed and up to date on information and advisements as they become available. As such, please reach out to us if you need help addressing any of the issues discussed in this Insight, or any other issues or concerns you may have relating to your business. We are ready to help guide you through these challenging times.

Unless expressly provided, this Insight does not constitute written tax advice as described in 31 C.F.R. §10, et seq. and is not intended or written by us to be used and/or relied on as written tax advice for any purpose including, without limitation, the marketing of any transaction addressed herein. Any U.S. federal tax advice rendered by DarrowEverett LLP shall be conspicuously labeled as such, shall include a discussion of all relevant facts and circumstances, as well as of any representations, statements, findings, or agreements (including projections, financial forecasts, or appraisals) upon which we rely, applicable to transactions discussed therein in compliance with 31 C.F.R. §10.37, shall relate the applicable law and authorities to the facts, and shall set forth any applicable limits on the use of such advice.

[1] U.S. Department of Health and Human Services, Press Office found at  https://www.hhs.gov/about/news/2023/01/03/lab-pays-16-thousand-5-hundred-dollar-settlement-to-hhs-resolving-potential-hipaa-violation.html

[2] Life Hopes Resolution Agreement and Correction Action Plan, Resolution Agreement. Found at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/life-hopes-ra-cap/index.html