Case Law Update: Just Because HIPAA Does Not Provide a Private Right of Action, Doesn't Mean that Other Avenues Exist
Simply stated, the Health Information Portability and Accountability Act (HIPAA) does not provide a private cause of action. And, prior to the 2009 passage of the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and the more robust chain of liability (e.g. covered entities, business associates and subcontractors) under the Breach Notification Rule, several courts had held this notion to be true.
Over the past decade, a shift has occurred where state and federal courts are holding that healthcare providers who breach HIPAA and other cybersecurity provisions may be pursued for a variety of common law claims including: negligence, emotional distress, breach of confidentiality, invasion of privacy, contract violations, and punitive damages. The premise for bringing a cause of action for privacy violations stems from the fundamental source of American jurisprudence - the United States Constitution. In re Columbia Valley Regional Medical Center, 41 S.W.3d 797, 802 (2001) established that, "there is a constitutional right of privacy in this case. Apart from any statutory or evidentiary privileges that apply, the medical records of an individual have been held to be within the zone of privacy protected by the United States Constitution." See In re Xeller, 6 S.W.3d 618, 625 (Tex. App. - Houston [14th.] 1999, orig. proceeding) (citing Alpha Life Ins. Co. v. Gayle, 796 S.W.2d 834, 836 (Tex. App. - Houston [14th Dist.] 1990 no writ).
Recent cases that uphold this motion include:
Byrne v. Avery Center for Obstetrics and Gynecology SC 18904 (Nov. 11, 2014) - A patient advised her doctor not to provide any information to her significant other because of a paternity suit. The significant other's attorney issued a subpoena and the health center, instead of alerting the patient or fighting the subpoena, simply handed over the records. The Connecticut Supreme Court held that HIPAA does not preempt against negligence claims and may be utilized in establishing the applicable standard of care.
Acosta v. Byrum, 638 S.E.2d 246 (N.C. Ct. App. 2006) - A patient was treated by a physician who gave his access code to a third party, who in turn, viewed his records. The North Carolina Court of Appeals held that a privacy violation based on HIPAA violations was not a malpractice claim, so no expert certification was necessary; and HIPAA may be utilized in establishing the applicable standard of care.
John Smith v. Arvind R. Datla, et al., Case No. A-1339-16T3 (Superior Court of New Jersey Appellate Division (Jul 12, 2017) - The judge kept alive a suit accusing a physician for disclosing a patient's HIV status without the patient's consent to an unauthorized third party.
These cases underscore the importance of compliance with HIPAA and the HITECH Act. Actions brought by the Federal Trade Commission, class action law suits and Securities and Exchange Commission requirements were not discussed. The take-away is that HIPAA, the HITECH Act, and other cybersecurity violations can and do form the basis of a wide variety of causes of action. Therefore, underscoring the need to be proactive instead of reactive.
This Week's Audit Tip Written By:
Rachel V. Rose, JD, MBA Rachel V. Rose, Attorney at Law, PLCC
Rachel V. Rose, JD, MBA, is a Houston, TX-based attorney advising on federal and state compliance and areas of liability associated with a variety of healthcare, legal and regulatory issues including: HIPAA, the HITECH Act, the False Claims Act, Medicare issues, women's health as well as corporate and security regulations.
Article Resources:  42 USC § 1320d (1996).  Pub. L. 111-5, Sec. 13001 (Feb. 17, 2009). Valentin-Munoz v. Island Fin. Corp., 364F. Supp. 2d 131, 136 (D. Puerto Rico 2005); Univ. of Co. Hosp. Auth v. Denver Publ'g Co., 340F. Supp. 2d 1142, 1145-46 (D. Colo. 2004).  R.K. v. St. Mary's Medical Center, 2012 WL 5834577 (WV S.Ct. (Nov. 15, 2012), cert. denied.
NAMAS is setting the standards in medical auditing & education
The NAMAS team and faculty work hard to bring you membership resources, products, tools, and training that is not only timely and specific to medical auditing and compliance, but also that is specific to the needs of medical practices today. NAMAS staff are industry recognized experts who provide audits and consulting services to active clients which gives NAMAS the cutting edge to provide relevant training.
If you have questions or comments about this article please contact us. Comments that provide additional related information may be added here by our Editors.
This ruling impacts what providers and suppliers are required to disclose to be considered eligible to participate in Medicare, Medicaid, and Children's Health Insurance Program (CHIP). The original proposed rule came out in 2016 and this final rule will go into effect on November 4, 2019.
There have been known problems ...
When federal employees sustain work-related injuries, it does not go through state workers compensation insurance. You must be an enrolled provider to provide services or supplies. The following are some recommended links for additional information about this program.
Division of Federal Employees' Compensation (DFEC) website
Division of Federal Employees' Compensation (DFEC) provider ...
The new 2020 CPT codes are on the way! We are going to see 248 new codes, 71 deletions, and 75 revisions. Health monitoring and e-visits are getting attention; 6 new codes play a vital part in patients taking a part in their care from their own home. New patient-initiated ...
Is the Functional Rating Index, from the Institute of Evidence-Based Chiropractic, valid and acceptable? Or do we have to use Oswestry and NDI?
You can use any outcome assessment questionnaire that has been normalized and vetted for the target population and can be scored so you can compare the results from ...
Cranial nerves are involved with some of our senses such as vision, hearing and taste, others control certain muscles in the head and neck. There are twelve pairs of cranial nerves that lead from the brain to the head, neck and trunk. Below is a list of Cranial Nerves and ...
You know how to find a procedure code and you may even know how to do the procedure, but where does the reimbursement come from? It seems to be a mystery to many of us, so let's clear up some common confusion and review some of the main reimbursement systems. One of the ...