A patient signed a disclosure form allowing her disability insurance carrier to receive information relating to her injuries from a recent car accident. As a result of the accident, she has not been able to work and has applied for disability coverage. Her doctor’s office received the signed form and sent her medical records to the insurance carrier. The doctor’s office, however, did not separate her recent information from her past treatment for unrelated illness. The patient had been treated for depression and other mental illness prior to her car accident. The insurance company receives all her medical information, including the records relating to her prior treatment for mental illness. Has there been a HIPAA violation? Does it matter that the patient signed a HIPAA disclosure form? What should the doctor’s office done differently if anything? Can the patient bring a civil claim against the doctor? If she does, do you think she will be successful? What is your opinion? What could the doctor’s office do differently in the future to prevent any HIPAA compliance errors?