Do I have any legal rights if a doctors office is not disposing of personal information properly?
Responsibility for privacy is placed on the people who have the records. All entities holding patient records must establish formal internal procedures to ensure that health records remain private. These procedures should include employee training, designation of a "privacy officer" to assist patients with complaints, and ensuring that appropriate safeguards are in place for the protection of health information. There are civil penalties of $100 per person for unintentional disclosures and other violations (up to $25,000 per person per year). The rules do not limit a person's individual right to sue and be compensated for damages related to improper use of medical records.