Contact Me for a Free Consultation 443-845-1456


Healthcare providers and facilities or organizations in Maryland and throughout the United States handle vast amounts of patient medical information. Their handling of it must, in addition to other federal and state laws, comply with the Health Insurance Portability and Accountability Act (HIPAA). 

At Frank Spector Law, we handle medical malpractice cases, but are often asked about whether HIPPA violations are grounds for a lawsuit. Generally, the answer is no. In a medical malpractice case, there needs to a permanent physical injury. HIPPA is a violation of your privacy rights but is not something for which money damages are available. But since Frank Spector Law gets so many HIPPA calls, this page will at least give you more information.

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that was enacted in 1996. Its purpose is to address the portability of health insurance as well as to protect the private and sensitive health information of patients. Under HIPAA, the latter information cannot be released without the knowledge and consent of the patient. 

Organizations that Must Comply with HIPAA

The entities that must comply with the rules established by HIPAA are referred to as covered entities. Covered entities can include but are not necessarily limited to:

  • Health Plans. Health plans include government programs that pay for health care including Medicare and Medicaid, company health plans, health insurance companies, and health maintenance organizations (HMOs). An exception may apply to group health plans with less than 50 participants.
  • Health Care Providers. If a healthcare provider transmits health information through electronic means, it may be subject to HIPAA. This would typically include doctors' offices, hospitals, clinics, pharmacies, and dentists, among others.
  • Health Care Clearinghouses. A clearinghouse processes nonstandard health information so that it conforms with standards for data format or content. An example would be a billing service.

There are other organizations that must also comply with HIPAA, such as the associates of covered entities. For example, contractors providing services to a covered entity will be subject to certain parts of HIPAA. These organizations are referred to as business associates.

Patient Rights and HIPAA Privacy Rules

The HIPAA Privacy Rule provides certain rights to patients regarding their protected health information (PHI). Individuals have a right to access their PHI contained in designated record sets –– records used to make decisions about the individual, including:

  • Medical records
  • Billing records
  • Payment records
  • Claims records
  • Health plan enrollment records
  • Case management records

If any other record is used to make decisions about the individual, they are considered to be part of a designated record set. 

HIPAA offers other protections, three of which prohibit covered entities from:

  1. Selling PHI for profit without permission and authorization to do so
  2. Disclosing or using the genetic information of an individual for purposes of underwriting
  3. Disclosing or using an individual's psychotherapy notes. 

Generally speaking, individuals have the right under HIPAA to have their PHI amended when the PHI is part of a designated record set. They also typically have the right to know who has seen their PHI.  

Examples of How Covered Entities Can Comply with HIPAA's Privacy Rule

  • Appoint a privacy officer and contact person to receive complaints
  • Develop consent, notice, and authorization forms for patients
  • Create privacy policies and procedures 
  • Draft comprehensive agreements with each and every business associate
  • Train staff on privacy issues

Covered Entity Obligations and the HIPAA Security Rule

The HIPAA security rule requires two things:

  1. Covered entities must perform a risk analysis to determine whether risks exist to electronic PHI; and
  2. If risks exist, covered entities must address them accordingly.

Covered entities must implement certain measures to become compliant or maintain compliance under the security rule and to protect patient data. These measures involve the implementation of administrative procedures, safeguards, and technical security services.

With regard to security, there is also what's known as the Breach Notification Rule under HIPAA. This rule requires HIPAA-covered entities and their business associates to notify patients and relevant parties when or if there is a breach of unsecured protected health information. Breaches must be reported within 60 calendar days. 

Common HIPAA Violations in Maryland 

Covered entities may inadvertently, or purposefully, fail to comply with HIPAA. Eight of the most common HIPAA violations are briefly described below. 

1. Unauthorized Access to Healthcare Records

Healthcare professionals are only allowed to access the PHI of patients for certain reasons. When they use their position, without authorization or proper reason, to access the healthcare records of patients, they have committed a HIPAA violation. Healthcare professionals have been accused of accessing the PHI of family members, friends, and celebrities without authorization under HIPAA.

2. Denial of Patient's Right to Access

The ability to access medical and health records is one of the most basic rights established by HIPAA. When a provider denies patients access, they run the risk of being held liable for a violation within 30 days. 

3. Lack of HIPAA-Compliant Agreement with Business Associate

Business associates, although not considered to be covered entities, must comply with certain parts of HIPAA. When a covered entity fails to enter into a HIPAA-compliant agreement with all business associates, they may be in violation of HIPAA.

4. Unauthorized Disclosure of PHI

HIPAA authorizes the release of PHI under certain circumstances. When a covered entity discloses PHI in violation of HIPAA, they may be held liable for this violation and fined a penalty.

5. Improper Disposal of PHI

HIPAA mandates that PHI be disposed of at certain times and in certain ways. Failure to follow these rules can lead to financial penalties. 

6. Insufficient Access Controls

Under HIPAA there must be access measures in place for electronic PHI. Failure to implement such measures, or failure to follow through once they are implemented, can lead to a HIPAA violation. 

Employees should also keep their computers locked when they are not using them. Otherwise, an employee may leave their unlocked computer unattended, and another person may use it to access unauthorized PHI.

7. Failure to Implement a Risk Management Process

Covered entities should have a risk management process in place to prevent HIPAA violations before they occur. Such processes can prevent hackers and other unauthorized parties from accessing PHI.

8. Failure to Notify Parties of Breach

When unsecured protected health information is impermissibly used or disclosed – in other words, breached – and the privacy and security of that protected health information is compromised, patients must be notified. Failure to do so is a HIPAA violation.

Consequences of HIPAA Violations in Maryland

There are penalties in place for any entity that violates the provisions of HIPAA, and they can be severe. Civil penalties are typically imposed on entities that violate HIPAA but do so without malicious intent. Criminal penalties are generally imposed when an entity has knowledge that they are engaging in an activity or action that violates HIPAA. 

Defenses to HIPAA Violations

Not all HIPAA violations are indefensible. You may have a defense that can negate liability or culpability. The following are some of the most commonly used defenses to HIPAA violations. 


When a covered entity has been accused of a HIPAA violation, the ability to show that the required authorization was obtained is a viable defense. In other words, when a healthcare provider allegedly releases a patient's PHI to an unauthorized party, they may not be in violation of HIPAA if they can show that the patient gave their consent to the release. 

Unintentional Breach

Unintentional breaches can and do occur. As long as the breach was within the scope of the provider's authority and they do not disclose the PHI, a defense is available. For example, if a hospital employee thought they were supposed to access a certain patient's medical records but later learns it was the wrong patient, the employee might have a defense. In other words, if they were acting in the course of their duties and did not further disclose the PHI, they are not liable for a breach. 

This is in stark contrast to situations where employees intentionally access unauthorized personal health information or, when obtaining the PHI via an unintentional breach, they unlawfully disclose that same information. 

PHI Cannot Be Retained

If the party that disclosed the PHI does not believe that the entity receiving the PHI has the ability to retain it, then they have a defense to a HIPAA violation allegation.

An example would be a situation where a runner for a healthcare facility delivers sealed medical billing information to a vendor they believe is a business associate, yet subsequently the run discovers they delivered the medical billing information to the wrong vendor.

As long as the medical records were able to be reclaimed before they were unsealed, the healthcare provider can, in good faith, claim as a defense that the PHI was not able to be retained by the party that had possession. 

Disclosure to Authorized Party

If a disclosure occurred, but it was between two parties that were both authorized to access the PHI, then they have a solid defense against any claims of HIPAA violations. For example, if the office manager in a dentist's office provides medical records of a patient to the wrong hygienist, and the mistake is corrected quickly and no other unauthorized breach occurs, they should have a defense against any HIPAA violation claims. 

Low Probability of Compromise

When the HIPAA violation refers to a failure to notify parties of possible PHI breaches, the covered entity can be held liable. Liability can be avoided if the covered entity can show that there was a low probability the PHI was compromised. 

Contact Me Today

Frank Spector Law is committed to answering your questions about Medical Malpractice, Birth Injury - Cerebral Palsy, Birth Injury - Erb's Palsy, Birth Injury - Development Delay, Wrongful Death, Surgical Errors, Emergency Room Malpractice, Misdiagnosis, Medication Errors, and Nursing Home Neglect law issues in Maryland.

I offer a Free Consultation and I'll gladly discuss your case with you at your convenience. Contact me today to schedule an appointment.


By Appointment Only
1340 Smith Avenue,
Suite 300
Baltimore, MD 21209

Please call to schedule an appointment