The HIPAA Omnibus Rule and its Possible Impact on Malpractice

It seems like there is something new for physicians to worry about almost every day. The latest to concern many MDs are the HIPAA Omnibus final rule that takes effect on September 23, 2013. These new rules cover many areas, including privacy and breach notifications for unsecured protected health information (PHI).

We’ve had physicians ask us whether the newer and tighter HIPAA regulations and scrutiny could increase their malpractice exposure. The short answer is: Probably, but in ways many physicians may not have considered before.

Whereas HIPAA violations can lead to regulatory fines and penalties, they do not provide the basis for a lawsuit. When it comes to HIPAA violations, patients are limited to filing complaints with governmental agencies who, in turn, may levy fines and penalties against the healthcare provider.

However, there have been a few isolated cases where an apparent HIPAA violation, a data breach or "information" breach, eventually did lead to a lawsuit. In certain states, patients may choose different legal channels, whether reporting to a governmental agency or pursuing a malpractice action. Patients will need to consult an attorney to determine their specific options.

One recent high profile case illustrates how a physician can be sued because of a HIPAA-type violation. A physician in Indiana sent a patient to a collections attorney and in providing the unpaid bills to the firm, the office failed to remove PHI. When the claim was filed with the court as part of the collections effort, the patient’s HIV status became public record.

Although the physician office violated HIPAA, the patient actually sued the practice under the state’s malpractice laws and was awarded $1.25 million.  (Note the patient couldn’t sue under HIPAA because it does not provide a private right of action. In short, patients can file complaints - but not sue using HIPAA. Patients can sue for the incident that led to the HIPAA violation, but only if they can prove damages or other cause under their state’s medical professional liability laws.)

While clearly HIPAA may pose certain legal exposures to physicians, there’s a more important issue I believe presents a bigger risk, and it’s one that can easily be overlooked with all the concern on new rules, regulations, and the uncertain marketplace. I believe the larger danger to physicians - and more importantly one they can actively address - is the potential loss of reputation and credibility when there is a publicized HIPAA violation.

If your office is found in violation of HIPAA, or more specifically if you were to have a breach of patient records, that situation could undermine your relationship with patients and have long-term negative ramifications for your credibility and reputation. From my own experience, and by simply looking at the characteristics of physicians who are sued, versus those who are not, I know that maintaining solid physician-patient relationships is the foundation for a strong medical practice and is also a key contributor to risk prevention. Always keep in mind that unhappy patients, and patients who don’t trust or like their physicians, are much more likely to sue if anything goes wrong - or even appears to go wrong.

So, yes, physicians do have possible financial and legal exposures as a result of HIPAA regulations, but perhaps in a less-direct yet every bit as damaging way than many may have considered. Physicians who proactively work to make their medical practice and process HIPAA-compliant are more likely to enjoy a higher level of respect and credibility among their patients and the medical community, and avoid more problems of all stripes - now and in the future.

What concerns you most about the new HIPAA regulations? Tell me in the comments section below.