The California Constitution enumerates the right to privacy as an inalienable right, and as part of that, people’s medical records are safe from government sanctioned inspection—including lawsuits, unless the medical records are directly relevant to the claim. This will come up most frequently in personal injury cases. You get hurt and the defendant tries to do everything they possibly can to say that you weren’t hurt as badly as you claim to be.

One of the ways defendants try to claim you aren’t hurt as badly as you state is by pointing to medical records after the date of injury. That is completely fair game. However, sometimes, they will try to go fishing in your past regarding other injuries to try to say a problem you have now is actually a pre-existing injury. Unfortunately, a lot of times this is an allowable practice, as long as the proper procedures are met. Sometimes though, the defendant will procure medical information through illegitimate means. The most common way this occurs is when a medical provider gives them your medical records pursuant to a subpoena even though you have either properly objected or have timely filed a motion to quash. What do you do in those occasions?

Well, while your right to privacy is enumerated in the California constitution, the greatest medical records protection actually comes from the federal government through HIPAA. HIPPA is a series of laws that outlines the protections of patient’s medical records. There can be severe penalties if HIPAA is not followed, including up to a $500,000 fine. 42 U.S.C. §1320d-5 and §1320d-6 set out the penalties of knowingly or unknowingly failing to comply with the procedures. A lot of people get confused by these sections because they appear to broadly apply to “any person who violates a provision of this part” and in particular §1320d-6 states that the penalty is applicable to any person who “obtains” the health information.

Because of this broad “any person” language, a lot of people want to use these sections to go after they people that received the information, not the people that gave the information. However, §1320d-1 makes it clear that these laws only apply to health plan providers, health care clearinghouse, and health care providers—and those that are employed by those entities. So when the penalty code sections say “any person” they actually mean, “any person that falls into one of these three categories.”

This can be deflating for a lot of people that want to punish those that sought out the personal information. However, just because HIPAA does not apply to them, that does not necessarily mean that they are off the hook completely. Depending on what they do with that information, the person that received the information can still be held liable.

For example, a football player that plays for the New York Giants blew up his hand in a Fourth of July fireworks accident in 2015. During that time, he was in tense contract negotiations with the Giants and so he was trying to keep the extent of his injury a secret from the Giants. However, an ESPN reporter received a copy of his medical chart and the ESPN reporter then tweeted out the extent of the injury. As a result of this the football player was paid less money than he otherwise would have, two members of the hospital staff were fired for violating HIPAA, and the football player sued ESPN. However, he did not sue ESPN on the basis of a HIPAA violation (because it does not apply to ESPN) but instead on the basis of public disclosure of private fact. Whether the football player will be successful on this claim is a toss-up at the moment, however, unless you are a public figure, if a similar thing happened to you, you would likely be able to easily win a public disclosure of private fact case.