How JustAnswer Works:
  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site.
    Ask follow up questions if you need to.
  • 100% Satisfaction Guarantee
    Rate the answer you receive.
Ask Dwayne B. Your Own Question
Dwayne B.
Dwayne B., Attorney
Category: Legal
Satisfied Customers: 33736
Experience:  Began practicing law in 1992
Type Your Legal Question Here...
Dwayne B. is online now
A new question is answered every 9 seconds

What is HIPPA and is there a time limitation during which unauthorized

This answer was rated:

What is HIPPA and is there a time limitation during which unauthorized access to medical records must be disclosed and is the notice to be in writing?

If a stroke victim who has days of going in and out of being alert is not advised that his medical records were modified, will there be liability on the medical records provider

JD 1992 : Hello and thank you for contacting Just Answer. I am an expert here and I look forward to assisting you today. If at any point any of my answers aren’t clear please don’t hesitate to ask for clarification.
JD 1992 : HIPAA is the Health Insurance Portability and Accountability Act.
JD 1992 : In essence it is a federal law which protects medical information for unauthorized disclosure, or at least that is what it is normally used for.
JD 1992 : There is a specific time limit, 60 days, for a provider to notify a person that there was an unauthorized breach of their medical information.
JD 1992 : As far as liability, the courts have ruled that HIPAA does not allow for a private lawsuit if there is a breach of medical privacy.
JD 1992 : A person's only remedy is to report the breach to the proper licensing authorities, to the Attorney General of that state, or to the US Department of Health and Human Services. They may choose to pursue an action against the provider who allowed the breach but the person themselves cannot.
JD 1992 : I believe that I answered the questions you asked but please ask any follow up questions in this thread. When all of your questions have been answered, then I would ask that you give a Positive Rating (of course I'd suggest Excellent) since that is the only way I get credit for my work and also please consider clicking "BONUS" as a nice way of saying "thanks" for a job well done, although this is neither required nor expected. When looking at the answer I ask you to bear in mind I can’t control what the law is and whether it helps you, I can only tell you what it says, and I assume you want truthful information. Also, issuing a positive rating keeps the question from “timing out” so you can return in the future if you think of a follow up. However, please do not issue a rating of any kind until all of your questions have been answered and please use the Reply button to ask additional questions or to provide answers to my questions.Several customers have asked how they direct a question to me in particular. If you specifically want me to provide information for you on a future question just put “FOR JD 1992” in the subject line and I will pick up as soon as I see it.
Customer: Problem: stroke victim who lived with a lover for 30 years is admitted into hospital and names his mate as his point of contact. Patients wife finds out and asks hospital to add her name and the hospital does even though she does not present any identification. Ultimately the wifes granddaughter gets fired for having participatingin the chane. Notice of none of the unauthroized access or change was provided to patient who surely would have insisted that the hospital change it back. Or best still, patient would have insisted that mate get the durable power atty so that no changes oculd be made. Ultimately, the patient gets sicker and hospital ultimately allows the wife to substitute her name bec she had a valid license. Then the Hosiptal uses the wifes substitution as their rationale for permanent barring the mate from the hospital even though they acknowledge that she ahd done nothing wrong. They were motivated to remove the mate because of the multiple complaints he lidged abouthis care after being admitted.
Customer: Does that 60 day requirement of notice have to be in writing or will oral notice be sufficient?
Customer: What is the citation for the HIPPA and that provision for notice?
JD 1992 : I'm back. Please give me a moment to read through your last post.
Customer: ok
JD 1992 : Let me look for the citation. I'll be back in a few minutes if you wouldn't mind waiting here.
JD 1992 : It is section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which amended HIPAA.
JD 1992 : It was published at 74 FR 19006 on April 27, 2009
JD 1992 : It was amended again in January of 2013, but no substantial changes as far as the facts of this question occurred.
JD 1992 : Now let me look to see if there is a specific method that must be used to notify the person of the breach.
JD 1992 : I don't see a specific method of giving the notice set forth in the rules, but the rules are scattered. The rules do state that the notice has to include the following (as much as possible):1. A brief description of the breach, including the date of the breach and the date on which it was discovered;2. A description of the unsecured PHI involved in the breach (e.g., full name, social security number, diagnosis);3. A description of the steps the individual should take in order to protect himself/herself from potential harm caused by the breach;4. A description of the steps the covered entity is taking to investigate and mitigate the breach, and prevent future breaches; and5. Instructions to enable the individual to contact the covered entity, including a toll-free telephone number, an email address, web site or postal address.
JD 1992 : The Department of Health and Human Services has a page on this topic at
JD 1992 : But it really doesn't have a lot of usable information.
JD 1992 : In addition, the burden of proof of providing the notice is on the health care provider and, in addition, they are supposed to have a set of written guidelines on how this is to be done so you could request those and then see if their guidelines require for the notice to be in writing.
JD 1992 : Are you still there?
Customer: I was reading. Im sorry. The info you are giving is very helpful.
Customer: Do you have a citation for the Md Durable power of Attorney Act?
JD 1992 : No problem. Sometimes Chat acts up and knocks the other person offline and we don't know it so I was just checking.
JD 1992 : For the Maryland Durable POA Act?
Customer: Im thinking that if the Hospital had only disclosed the change when the patient waslucid thathe would have insisted on a correction and directed the Hospital to hoor his power of atty.
Customer: yesMaryland Durable POA Act
JD 1992 : Under your facts that sounds likely. The Act is 17-105 of the Estates and Trusts Code. You can see it at
JD 1992 : It would actually be all of Chapter 17
JD 1992 : A better link for it would be
Customer: Last, whats the citation for the HIPPA?
JD 1992 : Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d-9
Customer: Thanks for your expertise. You were very helpful.
Dwayne B. and 6 other Legal Specialists are ready to help you