My dr.s office sent my entire medical records to another lady. She looked up my sisters number in the phone book (I had not updated my new phone number yet) and called my sister and explained that she ordered her records and received mine also. She has my social security number, my entire medical records, and than come to find out the lady was refused to be seen by their doctors anymore because she was seeing several different doctors and receiving narcotics from all of them. My doctors office didn't even call me but they were blowing up her phone trying to get the records back. I informed her that it would be fine for the doctors office to pick up my records she got mad and hung up on me. That's where I am at now. I don't know if she's going to give them back she's already had my information for a week, I don't know what she has done please help I cannot find an attorney that deals with that kind of case.

Where is this lady? Is she in town, maybe you should arrange to have your records picked up by someone else? Not a very nice position to be in. I would obtain a lawyer to address the doctors office for such a huge breach.

The first thing I would do is call the three big credit agencies and put an identity theft hold on any credit requests. They will have to call you for any credit card requests and that can cut down on most credit card fraud that could be encountered. Chances are that if this woman called you and identified herself to you, she is hopefully not dumb enough to then steal your identity. Next I would contact her again if you can and get your records back. You may want to pick them up in person or have them mailed to you via certified mail. As for the attorney, I would look for an attorney that handles personal injury. This is tough because of as right now you don't really have any injuries besides feeling like you can't trust your doctor. You could sit down with the doctor's office staff and possibly go through a list of things you would like them to do so that you don't file an official HIPPA complaint. If you do this I would ask for the following:

1. The cost of checking your credit every 2-3 months with all three credit agencies for 3 years. This would be about $200 a year or so.
2. Have them implement a flag/labeling system for all duplicate name patients. They should cross and double cross check files before sending them off. This can just be good medical practice as one patient could have a serious drug allergy and if the wrong chart is given, the doctor may not know.
3. Have them assume any legal fees you might incur as a result of identity theft resulting from the mis-management of your medical record. This will be hard to get them to agree to and you might want to have a lawyer present or negotiate this one as it could be potentially costly for the doctor's office.

Good luck and I hope nothing comes of someone seeing your medical records.

The first thing I would do is call the three big credit agencies and put an identity theft hold on any credit requests. They will have to call you for any credit card requests and that can cut down on most credit card fraud that could be encountered. Chances are that if this woman called you and identified herself to you, she is hopefully not dumb enough to then steal your identity. Next I would contact her again if you can and get your records back. You may want to pick them up in person or have them mailed to you via certified mail. As for the attorney, I would look for an attorney that handles personal injury. This is tough because of as right now you don't really have any injuries besides feeling like you can't trust your doctor. You could sit down with the doctor's office staff and possibly go through a list of things you would like them to do so that you don't file an official HIPPA complaint. If you do this I would ask for the following:

1. The cost of checking your credit every 2-3 months with all three credit agencies for 3 years. This would be about $200 a year or so.
2. Have them implement a flag/labeling system for all duplicate name patients. They should cross and double cross check files before sending them off. This can just be good medical practice as one patient could have a serious drug allergy and if the wrong chart is given, the doctor may not know.
3. Have them assume any legal fees you might incur as a result of identity theft resulting from the mis-management of your medical record. This will be hard to get them to agree to and you might want to have a lawyer present or negotiate this one as it could be potentially costly for the doctor's office.

good luck and I hope nothing comes of someone seeing your medical records.


I don't believe you can demand that the Physician do anything in his office that is not already required by law (including HIPAA) nor do I think you can or should negotiate anything directly with the Physician's office. His office made a mistake. However, you have no idea where this is going to go and you must file a complaint with HIPAA within a certain number of days - I believe it's 180 - or your claim goes stale. I think it has to be reported.

I wouldn't fool around with this any longer. Contact your local Bar Association and get moving. You have no idea where your medical info is floating around, the Doctor has made a very bad mistake, he does have liability insurance to cover this type of mistake, the Government is very unhappy with errors of this nature.

I would be horrified and furious!

And the credit company suggestions are good - yes, protect yourself before someone (and who knows who the woman who has your records has handed them off to) assumes your identity.

I have attended more than a few HIPAA training sessions with my husband and with the guidelines Physicians are SUPPOSED to be following this is horrifying - worse case scenario I've seen!

I don't believe you can demand that the Physician do anything in his office that is not already required by law (including HIPAA) nor do I think you can or should negotiate anything directly with the Physician's office. His office made a mistake. However, you have no idea where this is going to go and you must file a complaint with HIPAA within a certain number of days - I believe it's 180 - or your claim goes stale. I think it has to be reported.

First of, please show me where I said DEMAND? I believe I used the words sit down, talk, and ask. Please do not add words to my posts that are not there. Secondly, you can ask for whatever you want and the OP is not required to report a single thing. I have come across MANY HIPPA violations in my career and we usually work out something with the doctor and it is not reported. There are much easier solutions where both parties walk away happy that do not have to end in conflict. If OP wants to continue having this doctor as her doctor, then she might want to go the least confrontational route as possible.



I wouldn't fool around with this any longer. Contact your local Bar Association and get moving. You have no idea where your medical info is floating around, the Doctor has made a very bad mistake, he does have liability insurance to cover this type of mistake, the Government is very unhappy with errors of this nature.

A HIPPA violation does not equal malpractice. OP would have to show damages first, and I don't see any from what she posted, do you? As for the government being unhappy, yes they will be, but only to fine the doctor a few grand. This is not a serious HIPPA violation. I see the wrong records sent all the time. It happens, especially in big offices.

If I were the OP officer, I would write a letter to the doctor requesting what I set out above. No, they do not have to do any of it, but most would to avoid HIPPA fines and a HIPPA reporting. The reality is that the OP is unlikely to get any damage relief from a HIPPA complaint filing, her damages as they stand right now is watching her credit reports. Criminal liability under HIPPA is for those that KNOWINGLY transmit someone's information "if the offense is committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm". The Doctor's office sent the wrong records, similar name accidentally, so criminal charges would not apply. Civil fines are about $100 for each violation (not sure how many violations would be in this case, depends on what was sent)

First of, please show me where I said DEMAND? I believe I used the words sit down, talk, and ask. Please do not add words to my posts that are not there. Secondly, you can ask for whatever you want and the OP is not required to report a single thing. I have come across MANY HIPPA violations in my career and we usually work out something with the doctor and it is not reported. There are much easier solutions where both parties walk away happy that do not have to end in conflict. If OP wants to continue having this doctor as her doctor, then she might want to go the least confrontational route as possible.



A HIPPA violation does not equal malpractice. OP would have to show damages first, and I don't see any from what she posted, do you? As for the government being unhappy, yes they will be, but only to fine the doctor a few grand. This is not a serious HIPPA violation. I see the wrong records sent all the time. It happens, especially in big offices.

If I were the OP officer, I would write a letter to the doctor requesting what I set out above. No, they do not have to do any of it, but most would to avoid HIPPA fines and a HIPPA reporting. The reality is that the OP is unlikely to get any damage relief from a HIPPA complaint filing, her damages as they stand right now is watching her credit reports. Criminal liability under HIPPA is for those that KNOWINGLY transmit someone's information "if the offense is committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm". The Doctor's office sent the wrong records, similar name accidently, so criminal charges would not apply. Civil fines are about $100 for each violation (not sure how many violations would be in this case, depends on what was sent)


I apologize for my use of the word “demand.” You are correct, you did not say demand. You said the OP “should sit down with the Doctor’s office and possibly go through a list of things [OP] would like them to do so that [OP doesn’t] file an official HIPAA complaint.” It sounds more like “you do this or I’ll do that” and I do agree that is not a demand. I never think threats of this nature work but my experience is certainly different from yours. I am also not aware of any Attorney who will accompany the OP to the Physician’s office without being retained.

And you have misread my posting - I never said this was a criminal matter or a medical malpractice matter. It certainly is not. At any rate if it WERE a criminal matter the Doctor’s liability insurance (which I mentioned) would try to deny coverage. You ask me if I see damages - yes, I do. The OP’s medical records are floating around out there and the person who has them does not seem to be cooperating. Yes, I see a potential for damages here. I don’t think you wait until the situation is out of control; I think you ask for legal advice now. If the situation is resolved, fine; if not, you are protected.

If the OP is going to have problems in the future stemming from the unauthorized release of her medical records and hasn’t reported this as a violation she will be out of luck.

I never suggested that the OP would get some sort of money or damages out of reporting the violation; I simply meant that if there are damages it will not be in her favor if she was aware of the breach and did nothing.

I realize you have handled many HIPAA violations and I believe you posted that you have handled medical malpractice class action lawsuits which might have involved HIPAA violations (and you know I don’t understand the basis for a medical malpractice class action lawsuit) so you definitely have superior knowledge; however, it is not HIPPA (as you refer to it), it is HIPAA.

I personally do not think this is worth taking to an attorney as of yet (unless she would like one to write a letter). The cost of an attorney handling this would much more than any damages she currently has (and the only tangible ones I see is the cost of monitoring her credit). One cannot sue for what if damages in a situation like this. All I can advise is that if a client came to me, I would ask said client if they would like me to draft a letter stating the previous statements. My fee would be more than the client seeking her remedy on her own. Just my opinion though.

As for why I mentioned criminal charges, that is because that is the more severe punishment under HIPAA. $100 isn't a lot of money to most offices. I think OP might get some better results if she lets the Doctor's office know that she knows they have yet to get the records back and that they released them to the wrong person.

And whoops on the misspelling of the acronym. I have a shortcut key and HP put in HIPPA. I must have put it in wrong the first time. Doesn't help that I have a 3yr old crawling all over me. :p