What is a HIPAA Violation Lawyer?
A HIPAA violation lawyer is an attorney who is well-versed in the various aspects of HIPAA law, and who can, in appropriate cases, assist someone who alleges to have been damaged by a HIPAA violation. A HIPAA violation lawyer can provide this assistance with helping someone file a complaint with the Department of Health and Human Services’ Office for Civil Rights (OCR).
This lawyer can work with someone who is the victim of a privacy or security rule violation by filing a state court lawsuit on their behalf. The issue of what is a HIPAA violation lawyer is discussed in greater detail below.
What is a HIPAA Violation Lawyer? An Issue-Spotter
The main function of a HIPAA violation lawyer is to explain to a client whether the facts a client gives the HIPAA lawyer amount to a HIPAA violation. For the HIPAA violation lawyer to give the explanation, the lawyer must be able to recognize potential issues. For example, a patient may discover that a doctor has shared her medical records with another doctor in the same facility, for purposes of treatment. The patient may then ask the HIPAA violation lawyer to answer whether the sharing is a violation.
To answer the question, the lawyer must be familiar with several issues, including:
- What rule prohibits sharing of protected health information?
- Are there exceptions to this rule?
- What do the exceptions allow to be shared?
The HIPAA violation lawyer should know that the HIPAA Privacy Rule generally prohibits use, disclosure, or sharing of PHI without written patient authorization.
The HIPAA violation lawyer should also know that one exception to this rule is the “treatment, payment, and healthcare operations” exception. Under this exception, a doctor may share a patient’s PHI with another doctor when necessary for treatment purposes, without first having to obtain patient written authorization.
So far, the HIPAA violation lawyer must be familiar with the rules, and the exceptions to the rules. Many times, an exception to the rule contains language limiting the scope of the exception. The HIPAA violation lawyer must be familiar with this language also. In the case of the treatment, payment, and healthcare operations exception, the lawyer must know that PHI can be shared, BUT that reasonable safeguards apply to the sharing. The safeguards vary depending on how the information is shared. For example, when a provider faxes PHI to another provider that the provider has not worked with or shared PHI with before, the faxing provider should first confirm the fax number with the intended recipient.
Lawyers who can recognize issues, and provide answers as to how the law resolves them, are typically paid hourly, or at a flat rate, for consultation. That consultation may end with the lawyer telling the patient that a HIPAA violation was committed, but that the patient cannot recover money under HIPAA’s provisions, because there is no private right of action under HIPAA. The lawyer can offer to assist the client with filing a complaint with HHS’ OCR. The lawyer can prepare a complaint citing the relevant provisions of the regulations. The lawyer can also assist the client in providing additional information OCR may request.
What is a HIPAA Violation Lawyer? Lawsuits
Of course, as night follows the day, HIPAA violation lawyers file lawsuits on behalf of their clients. Lawsuits in which clients claim HIPAA allows money damages for violations, are dismissed under the “no private action rule.” However, the same facts constituting a HIPAA violation may constitute a violation of a state data privacy or data security law. A HIPAA violation lawyer is (or should be) familiar with these laws. This familiarity allows the lawyer to advise the client if there are grounds for a lawsuit, and what law the client can file a lawsuit under.
The lawyer should be familiar with whether the law has a statute of limitations, and if it does, the lawyer should advise the client on how much time the client has left to file the lawsuit. Statutes of limitation differ among states. Data privacy and data security breach laws may contain “attorneys fees” provisions. These are provisions stating that, if a plaintiff prevails in the lawsuit, his or her attorney is entitled to a percentage of the damages. If a law does not contain an “attorneys fees” provision, it is up to the lawyer and client to decide how the lawyer is to be paid. The lawyer and client can enter into a contingent fee arrangement. In this arrangement, the lawyer only gets paid if the plaintiff wins the lawsuit. The payment is typically a percentage of the amount of damages (provable financial losses). The plaintiff usually is still responsible for “court costs,” which include things such as lawsuit filing fees, fees for copying and mailing documents, and fees to pay expert witnesses for their testimony.
