How You Can Assert Your Rights Under The HIPAA Privacy Rule If Your Doctor, Hospital Or Insurer Ignores The Law In Kingston, New York


Since 1996, the federal privacy law known as the Health Insurance Portability and Accountability Act (“HIPAA”), threatened harsh civil and criminal penalties against “covered entities”, i.e., doctors, hospitals and health insurers, who violated the law. Until recently, the penalties existed in theory only. Recently, the Office of Civil Rights (the federal agency responsible for enforcing the HIPAA law) decided to wield its power…finally.

Here’s the story: Between September, 2008 and October, 2009, Cignet Health, a health insurer in southern Maryland, failed to provide 41 patients with copies of their medical records. Under the HIPAA Privacy Rule, the health insurer must provide patients with copies of their records within 30 days of the request, with one possible extension of an additional 30 days. Cignet Health ignored the requests, and the patients filed 41 individual complaints against Cignet Health with their regional Office of Civil Rights (“OCR”). Even after the complaints were lodged with the Office of Civil Rights, Cignet Health ignored requests for information about the complaints that were made by the OCR.

You were expecting the government agency to slap Cignet Health on the wrist, right? Not so fast, my friend. The Office of Civil Rights slapped a civil monetary fine of $1.3 million on Cignet Health and yes, it gets better, the OCR imposed an additional $3 million fine for Cignet Health’s refusal to cooperate with the federal agency’s investigation. The Office of Civil Rights has made it clear that the days of a slap on the wrist are over! YES! (and it’s about time!).

Why, you may ask, did Cignet Health so brazenly ignore the requests for medical records made by 41 patients and the OCR’s investigation? Very simple: Cignet Health was expecting a wimpy response from the Office of Civil Rights to the complaints lodged by the patients’. And why wouldn’t it? Since the HIPAA Privacy Rule (codified at 42 U.S.C. section 1320d-5 and enforced under 45 C.F.R. Part 160, subpart D), was enacted in 1996, the Office of Civil Rights had not imposed a single monetary fine upon any covered entity. Simply put, the federal government was not enforcing the HIPAA law. Boy, how fast things change!

The Office of Civil Rights has issued its first monetary penalty to a “covered entity” for violations of the HIPAA Privacy Rule and it was a whopper: $4.3 million fine. For the first time, patients have an enforcement mechanism with teeth.

Okay, so what can you do if a medical provider, i.e. doctor, hospital or health insurer, ignores your rights to get copies of your medical records or discloses your confidential medical information without your permission? You guessed it. You should file a complaint with the regional office of the Office of Civil Rights.

The Office of Civil Rights has ten regional offices and each regional office covers specific states. In New York State, you should send your complaint to the attention of the OCR Regional Manager at the following address: Office for Civil Rights, New York Region II, Michael Carter, Regional Manager, U.S. Department of Heath and Human Services, Jacob Javits Federal Building, 26 Federal Plaza–Suite 3312, New York, New York 10278. You can call the New York regional office at 212-264-3313 or send a fax to 212-264-3039.

Now, you know what to do and we finally have encouraging news that the federal government will enforce HIPAA, so don’t let doctors, hospitals and health insurers push you around! Be prepared with your complaint to the Office of Civil Rights just in case your doctor or hospital does not respect your rights under HIPAA.

If you have questions or want more information, I welcome your phone call on my toll-free cell at 866-889-6882. You can always request my FREE book, The Seven Deadly Mistakes of Malpractice Victims, at the home page of my website at