The Human Side of HIPAA Privacy is Patient’s Rights

Posted by Amy Schultz

Almost everyone gets into healthcare for one reason: to help people. Whether it’s at a hospital as a provider or a corporate office as a Privacy Officer, the goal tends to lean towards helping those in need.  In the healthcare sector, what comes to mind when you think of Patient’s Rights? Hopefully you thought about the different rights patients have under HIPAA.  The right to Access records, Restrict Disclosure of records, amend records, confidential communication of records, disclosure of accounting of records, and right to file a HIPAA complaint. Your organization should have a process or practice in place on how to address each of these.

A patient comes in for an employer paid pre-employment drug screen. They sign the HIPAA form and proceed with the service. The next day the patient contacts the center and says they would like to revoke their authorization. What do you do? A recurring patient emails the hospital requesting an amendment to their medical record. What do you do? A patient calls the clinic and requests a copy of their medical records to be sent to them via email. What do you do? These requests can seem trivial and be dismissed as headaches but are central to trust with a patient and a compliant privacy program. It is another way we can help our patients. Whether as simple as a record request or as complicated as a revocation request, we are required to treat with importance and help our patients and organization through this process. Every one of these requests reflects a concern or vulnerability from a patient. So, your readiness and ability to humanize the process while respecting their rights is, in my opinion, supreme.

Treating patient requests seriously reinforces that privacy is not just a regulation, but a core value of your organization. As a Privacy Officer creating an environment that puts safeguarding patients’ information at its forefront also would mean safeguarding their rights as patients. Each request should be reviewed and handled timely with your organizations standardized practices. In my opinion, the more prepared you are to handle the easier it will be once these requests come in, and they will come in. Training your staff to recognize and correctly route or address these requests timely is critical. This will help reduce delays and frustrations for both staff and patients. Failure to address can lead to patient complaints and OCR involvement. Things we absolutely want to avoid.

When responding to these requests, doing so with compassion, especially when they can’t be granted, is important to establish and keep the patients trust and cooperation through the process. When a patient is told an amendment request is denied, this can be frustrating for the patient and understandable. Showing compassion while still providing the required determination, in my opinion, is best practices for the most desirable outcome for the patient and organization.

In my experience, patients want to be heard. They don’t want to feel like they are just a number in a EMR system. When a HIPAA complaint comes into my privacy office, the first thing I do is listen. When an amendment request comes in, the first thing I do is let the patient know we have received their request, and we are internally reviewing. I am letting them know they are heard. The rest is following the process in place. Remembering to be HIPAA compliant and care at the same time.

Responding to HIPAA complaints and amendment requests are given rights under HIPAA and you should put yourself in the shoes of the patient. How would you want to be treated if it was you requesting these same rights granted to all of us under HIPAA? We can’t lose sight of the reason why people get into healthcare, which is to help people. I recommend, building a privacy program that reinforces the importance of helping people. Be relatable, safeguard, and address these requests with care. Remembering the reason most get into healthcare is to help people. So, let’s help them one patient request at a time.

The post The Human Side of HIPAA Privacy is Patient’s Rights appeared first on The HIPAA Journal.

LCMC Health Agrees to Lawsuit Over Tracking Code on Patient Portal

Posted by Steve Alder

LCMC Health Holdings and Louisiana Children’s Medical Center have agreed to settle a lawsuit that alleged that tracking code added to its website and patient portal transmitted sensitive patient information to Facebook, Google, and others without patients’ knowledge or consent.

According to the lawsuit, Pebbles Martin v. LCMC Health Holdings, Inc. and Louisiana Children’s Medical Center, LCMC Health added Meta Pixel and other tracking tools to its website and patient portal, which tracked, recorded, and disclosed patients’ personal health information to Facebook, Google, and other third parties. The tools were able to track various metrics, including the pages visited, the buttons clicked, and specific information input into the website. The lawsuit alleged that the data transmitted by the tracking tools was used to serve website visitors with targeted advertisements and gain an intimate personal profile of patients without their knowledge or consent.

LCMC Health is one of many healthcare providers to add Meta Pixel and other tracking tools to their websites and patient portals. When widespread use of these tools by healthcare providers was identified, the HHS’ Office for Civil Rights issued guidance, warning that these tools likely violated the HIPAA Rules. The guidance was challenged in court, and a Judge sided with the plaintiffs, partially vacating the guidance. While these tools can be used on websites without violating the HIPAA Rules, they cannot be used on patient portals, unless the provider of the code signs a business associate agreement or HIPAA-compliant authorizations are obtained.

LCMC Health maintains there was no wrongdoing; however, to avoid the cost and uncertainty of protracted litigation, it agreed to a settlement to bring the litigation to an end. Under the terms of the settlement, class members will be given cash compensation along with a one-year membership to Cyex Privacy Shield Pro. Members of the settlement class, individuals who used the LCMC patient portal between January 1, 2019, and November 30, 2022, may submit a claim for a cash payment of $15 and will be automatically provided with a code to enroll in the Privacy Shield Pro service.

LCMC Health has also agreed to remove and refrain from using certain tracking technologies on its website and patient portal for a period of two years from the date of final approval of the settlement. The settlement has received preliminary approval, and the final approval hearing has been scheduled for November 7, 2025. Claims for the cash payment must be submitted by November 25, 2025, and individuals wishing to opt out of or exclude themselves from the settlement must do so by October 27, 2025.  Notifications about the settlement were mailed to class members on August 27, 2025.

The post LCMC Health Agrees to Lawsuit Over Tracking Code on Patient Portal appeared first on The HIPAA Journal.