Skip to main content
Find a Lawyer
Please enter a legal issue and/or a location
Begin typing to search, use arrow keys to navigate, use enter to select

What Can I Do After an Improper Disclosure of Medical Records?

Protecting patients' privacy rights is an essential aspect of public health. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects patient privacy. Under this federal law, patients have the right to their medical records. This includes the right to "inspect, review and receive a copy of their medical records."

What is an improper disclosure of medical records?

Here's an example: a doctor faxes a patient's HIV status to the patient's employer. They should have faxed it to their new health care provider. Although this was not intentional, it is an improper disclosure of medical records. The provider sent the patient's medical status to the wrong party. Improper disclosure includes unintentional acts, security breaches, and improper maintenance of patient records.

Patients have remedies under federal law for improper disclosure of their medical records. Unfortunately, this does not include the patient's right to sue for compensation. The following article explores improper disclosure of medical records and patient privacy rights. It also looks at medical records and exemptions of privacy rules. Finally, it includes a few remedies for improper disclosure of medical records.

HIPAA and Medical Records

HIPAA is a federal law that establishes data privacy protections. It also provides security safeguards for a person's identifiable health information. Health data includes more than a patient's essential health information. It consists of a patient's social security number or date of birth. This data—protected health information—is often part of a person's medical records.


HIPAA requires health care providers, health insurance companies, and other "covered entities" to get patient consent before sharing their medical information. A covered entity is a health provider, health plan, or health clearinghouse. Health providers include:

  • Mental health practitioners
  • Dentists
  • Nursing homes
  • Pharmacies

Health plans include health insurance companies, HMOs, and government programs like Medicaid. HIPAA applies to covered entities and their business associates. HIPAA privacy rules apply to business associates and their subcontractors. Covered entities need a patient's written authorization to share confidential information. This includes life insurance companies or business associates. If a patient has a personal representative, that person must provide written authorization.

Medical Records

Medical records are part of patient care. Medical records are updated regularly. This includes medical history and laboratory test results. As technology has advanced, so has record keeping. Today, most medical records are in electronic form. Only the patient and their personal representative can access their health care information. Often providers need a written request. They may request copies of their medical records. Providers have up to 30 days to provide documents.

Exceptions to HIPAA

There are exceptions to HIPAA's Privacy Rule. These limited exceptions generally apply when a patient is either absent or unconscious. The provider may share patient information with a family member, representative, or friend. They may do so if they believe it is in the patient's best interest. They may also share information with someone paying for your treatment. This exception only applies when the patient is absent or cannot consent.

For example, say a patient has emergency surgery and is unconscious after the surgery. The surgeon can update the spouse in this scenario. The provider can only provide information about the procedure. Another example is if a patient asks their friend to pick up their medication. The pharmacist may only give the friend medication-related information.

Physicians may share medical records with another provider if necessary for treatment. There are three requirements both covered entities must meet. First, they must have (or have had) a relationship with the patient. Second, the disclosure relates to the relationship between the patient and providers. Finally, they can only share minimal information necessary to provide health care services.

Improper Disclosure of Medical Records

The improper disclosure of medical records is different from the exceptions listed above. Here are a few examples of improper disclosure of medical records:

  • An insurance company sends a patient's explanation of benefits (EOB) to an unauthorized family member
  • A pharmacy tech puts a patient's Medicaid card in another patient's bag
  • Hospital employees discuss a patient's STI results in front of other patients

These examples include a covered entity, a patient, and protected information. Each example also consists of improper disclosure of medical records.

Take Action After an Improper Disclosure

There are several remedies for improper disclosure of a patient's health information. These do not include suing a covered entity under federal law. HIPAA does not have a private cause of action for improper disclosure. This means patients can't file a lawsuit under HIPAA. Patients can file complaints with the Department of Health and Human Services. Patients have a few options for improper disclosure of their medical records. These options include the following:

  • Filing a complaint with the HHS's Office for Civil Rights (OCR). The OCR is like a law enforcement arm of the HHS; it investigates complaints against covered entities
  • Filing a complaint with a professional board, such as the state Board of Medicine or the Board of Nursing

State-Level Remedies

Patients may have a cause of action for medical privacy violations under state law. State law remedies include the right to sue for invasion of privacy. It also consists of a breach of doctor-patient confidentiality. State attorney generals can sue for damages for HIPAA violations. Patients can file a complaint with their state's attorney general.

Get Legal Help

If you've experienced an improper disclosure of your medical rights, there is help. An experienced local health care law attorney can help you file complaints. They can also provide sound advice on the right direction to take.

Was this helpful?

You Don’t Have To Solve This on Your Own – Get a Lawyer’s Help

Meeting with a lawyer can help you understand your options and how to best protect your rights. Visit our attorney directory to find a lawyer near you who can help.

Or contact an attorney near you:

Next Steps

Contact a qualified health care attorney to help navigate legal issues around your health care.

Begin typing to search, use arrow keys to navigate, use enter to select

Help Me Find a Do-It-Yourself Solution

Copied to clipboard

Find a Lawyer

More Options