How can I prove that my medical privacy was violated?

Under the Amended Rule, it will be virtually impossible for an individual to know when his privacy is violated, as no “audit trails” are required of the unlimited disclosures the Privacy Rule allows to covered entities.

Since identifiable health information can be used and disclosed for all “routine” purposes without the individual’s knowledge or consent, the individual will not know when or to whom most disclosures are made. Further, since the Amended Rule provides “regulatory permission” for most uses and disclosures, very few such uses and disclosures will be “unauthorized”.

Example: Consider the burden that a depressed patient would have to bear in order to show that a violation of his/her rights under the Amended Rule has occurred.

  1. He/she would first have to find out, without any notice, that a use or disclosure of his attempted suicide and hospitalization has occurred.
  2. He/she would have to find out, without any accounting or audit trail, which entity improperly disclosed this information.
  3. He/she would have to overcome any contention by the disclosing entity that the information was needed for treatment, payment or health care operations.
  4. If the disclosure was for one of those “routine” purposes, he would have to show that the information disclosed was more than the “minimum necessary” amount of information for that purpose (the Amended Rule states that covered entities are to make this determination for themselves “based on their own assessments of what protected health information is reasonably necessary for a particular purpose”).
  5. He/she would have to convince the Office of Civil Rights within the Department of Health and Human Services to launch an investigation.