I’m not sure if’n this is the right forum, if it isn’t, I’m sure Unca-bunca-burnin’ Beer will put it in its right place.
A friend of mine is a member of a health insurance plan at his work. The company sent out new information concerning changes to the plan. Inadvertantly (apparently) they also sent out to thousands of employees his children’s names, ages, social security numbers and other personal data. He doesn’t wish to make too many waves yet, but the company has taken a “It’s no big deal. There’s no harm done. Why are you worrying, we’ll fix it sooner or later” attitude.
He’s in New Jersey. He doesn’t want to hire a lawyer yet and escalate the situation. He also is scared about having that kind of information out there with the company’s non-chalent attitude.
What should his first step be? What law protects him? What is he entitled to in rectifying the situation? What is the company’s responsibility?
Any specific law which he could look up on his own and use in discussions with management would be helpful. Any advise is welcomed too.
I know, and he now knows, that no major action other than speaking with his supervisor should be taken without consulting a lawyer. BTW, what kind of lawyer should he speak to about this situation?
I guess that’s enough for you guys to ponder for now.
I agree, Jon. (What’s HIPAA stand for anyway?)
But after a furtive search of the web, we couldn’t boil it down to the specific rule, law, standard which was broken. We couldn’t boil anything down so it was on point in New Jersey.
We both asgree that it was wrong for the co. to send out forms filled out with my friend’s children’s info on it. But the co. won’t take him serious until he can point at something and say, “What you did was wrong. Here’s why. How are you going to fix it?”
The info is out there so even if they “recall” the forms there’s no way to ensure it’ll ever be safeguarded again.
According to the link (thanks, KSO) he can file his own grievance. But isn’t that kinda like shooting a hummingbird with a shotgun at this point?
I still think he needs to talk to a lawyer. What kind of lawyer, I have no idea.
If I’m understanding this right, the health insurance company sent forms printed with your friend’s kids’ names and information to employees throughout the company?
If that is the case, then yes, there is a HIPAA violation. (HIPAA stands for Health Insurance Portability and Accountability Act.) Health insurance information is also protected health information (PHI) under the act, just as actual doctor’s-office medical records are.
So far, I don’t see any actual harm done. That does not mean it will not happen in the future.
What I would tell your friend is this:
[ul]
[li]Contact the credit bureaus to find out how to flag the kids’ credit records for possible identity theft. (No joke) I’d do this first, actually.[/li]
[li]File grievances both with his employer and with the state insurance commission, and possibly with HHS (see KSO’s link above). HHS can make the company care.[/li]
[li]He doesn’t have to make any legal moves yet, but he should still call the local bar association (I’d start with the New Jersey Bar Association. They can probably refer your friend to a lawyer who deals with privacy issues. Even if no legal action goes forward, the guy can probably write a letter to the company putting them on notice.[/li]
[/ul]
Did the company really send out PHI? That could be of some serious concern. As for private information (non-health related), I don’t know of any law off the top of my head that’s been violated. I’m sure there’s some general tort out there. However, the strongest case is via HIPAA, and you probably should look for a lawyer with that in mind. Med Mal is a good place to start since it arguably falls in their expertise. Don’t feel bad about pursuing, it’s a friendly reminder that no bad deed will go unpunished. Other than that, MsRobyn has some good advice.
I respectfully disagree, lawboy. IANAL, but I am a medical records and billing specialist, and well-trained in HIPAA provisions.
The rule of thumb is that ANY private information, such as name, address, social security number, employer, etc. is to be treated the same as medical information about the person. Doesn’t matter if it’s protected by the letter of HIPAA; we assume it’s protected by the spirit.
Also, it’s not a Med Mal case; a lawyer dealing in privacy issues would be better. There has been no damage done so far (that we know about, anyway), so the best course of action would be preventive. Basically, having a lawyer write the company a letter explaining the error of its ways and explaining that they may well be liable for damages in the event that the kids’ information is misused might change their tune rather quickly.
All in all, it was a stupid thing to do in the first place, and the company’s cavalier attitude might well come back to bite 'em in the ass.
I seem to recall that New Jersey has a particularly strong state law on medical privacy - even with the HIPAA privacy regs coming into effect in January, I believe states can still enforce higher protections. So it may be worth speaking to a litigator about this, regardless of whether there’s a cause of action for the HIPAA violation.