HIPAA violation by Law Enforcement

Status
Not open for further replies.

moandlo

New Member
All of our prescription information was given to law enforcement WITHOUT a subpoena or search warrant. The Dept of Health stated they must have a written administrative request of investigative demand (since no subpoena or s.w.). I have reviewed their file and no such written demand exists and the atty for the agency stated via email to me "the request was made orally". Yet somehow they produced something written to DOH so they were cleared of a HIPAA violation. I know there is no private cause of action in regards to HIPAA but have been told that we could sue under the same premise but call it breach of confidentiality or duty. How do I find an attorney to represent us to sue a national pharmacy? What type of lawyer should I be looking for? A national civil rights organization is currently looking into our case b/c of what the L.E. agency did (this and intentionally misleading a judge stating they have information they do not have b/c it does not exist).
 
The person/agency that gave up the information would be more liable than the law enforcement agency that obtained it.
What exactly are your damages? Just upset that the information was given?
 
The law enforcement agency did not violate HIPAA by receiving it, but the medical provider might have violated HIPAA by providing it. Maybe.

Who provided it to the police and why? HIPAA does not override state law and there may be certain situations where state law requires such cooperation.

If you feel a violation has occurred, you can file a complaint.

For more information, go here:

http://www.dcf.state.fl.us/hipaa/

- Carl
 
A national pharmacy handed over all of our prescription info WITHOUT any of the required paperwork. The atty for Law Enforcement stated (via email) they did not need a subpoena or search warrant. They are at least required to have a written request or investigative demand (per Fed HIPAA guidelines) and the response to this was the written request does not exist b/c the request was made "orally". Yes, the pharmacy is at fault for violating their own policy and violating the law. But LE is also faulted b/c they knew the law and violated it as well plus they knowingly misled (lied to) a judge with FALSE information in order to obtain a search warrant (illegal search and seizure).
 
If they obtained a warrant from a judge then there is nothing to argue about.
If they didn't have the appropriate permission, only the pharmacy is at fault.
They didn't illegally search/seize... they went to the pharmacy and asked and obtained.
 
Remember, that the FEDERAL guidelines do not supersede state law with regards to most areas surrounding HIPAA. If state law makes it permissible for law enforcement to ASK for this information, and even possess it for a lawful purpose, then the law enforcement agency is not in violation of HIPAA.

If you believe the law enforcement agency and the pharmacy have violated HIPAA contact the Florida Agency for Healthcare Administration:

http://www.fdhc.state.fl.us/hipaa/index.shtml

Also note that the feds at HHS summarize who is covered under HIPAA thus: "The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the "covered entities")." You will note that it covers health care providers and not those who receive the information.

- Carl
 
Last edited:
To MightyMoose: They did NOT have a subpoena or a search warrant.
To CdwJava: Per the Health and Human Services site "State laws that are contrary to the Privacy Rule are preempted by the Federal requirements, unless a specific exception applies". HHS Ofc of civil rights.

Regardless, the written "policy" at Walgreens states "requires subpoena or search warrant" (which was NEVER obtained) and that they will notify the patient PRIOR to release of information (which was not done either). They ignored the law b/c they did not want us notified. Just think, if any LEO can walk in and ask for anyone's prescription information...what good is HIPAA. Obviously not Protected Health Information (PHI).
 
By the way, I went to the new link cdwJava listed and it states "Our office is responsible for assisting Medicaid recipients in exercising their rights provided under HIPAA". You have to a complaint with Health and Human Services Ofc of Civil Rights and then wait for two years. Look at the statistics of how many complaints they get to how many are prosecuted.
I still need assistance in finding an attorney so sue the national pharmacy (walgreens) since that question has been clarified...
 
To CdwJava: Per the Health and Human Services site "State laws that are contrary to the Privacy Rule are preempted by the Federal requirements, unless a specific exception applies". HHS Ofc of civil rights.
And since HIPAA covers the medical providers, not the receiver of the information, there would still seem to be no issue with regards to law enforcement possessing the info.

From the HHS site:

As required by Congress in HIPAA, the Privacy Rule covers:

* Health plans
* Health care clearinghouses
* Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers.

These entities (collectively called "covered entities") are bound by the privacy standards even if they contract with others (called "business associates") to perform some of their essential functions. The law does not give the Department of Health and Human Services (HHS) the authority to regulate other types of private businesses or public agencies through this regulation. For example, HHS does not have the authority to regulate employers, life insurance companies, or public agencies that deliver social security or welfare benefits. See our business associate section and the frequently asked questions about business associates for a more detailed discussion of the covered entities' responsibilities when they engage others to perform essential functions or services for them.

Regardless, the written "policy" at Walgreens states "requires subpoena or search warrant" (which was NEVER obtained) and that they will notify the patient PRIOR to release of information (which was not done either).
Bad news for Walgreens. Perhaps you have a HIPAA complaint you can make against them. Contact the appropriate state or federal agency and make the complaint.

Just think, if any LEO can walk in and ask for anyone's prescription information...what good is HIPAA. Obviously not Protected Health Information (PHI).
Anyone can ASK for anything. Asking is not a violation, providing the information can be.

I can walk in to a bank and ask for your account information. If they give it to me, I am not necessarily in violation of ANY law for being in possession of that information unless I intend to use it for some nefarious purpose. The BANK, on the other hand, could be in violation of several state and federal regulations that could subject them to penalties. Likewise the online pharmacy.

Your beef is with them. And HIPAA tends to have fixed penalties for violations and are not generally the subject of big money lawsuits. Unless you can show some serious damages, then Walgreens may be liable for whatever statutory penalties might apply, but I seriously doubt the law enforcement agency is going to be liable for anything.
 
Last edited:
Status
Not open for further replies.
Back
Top