The Health Insurance Portability and Accountability Act (HIPAA) imposes requirements on healthcare entities involved in the exchange of health
information to protect the confidentiality of such information. It provides both civil and criminal penalties for individuals who improperly handle or
disclose individually identifiable health information. HIPAA does not create a private right of action, under federal law. However, a recent decision
by a district court in Missouri held that HIPAA may form a basis of a state law “negligence per se” claim.
In I.S. v. Washington University, E.D. Mo., No. 11-235, 6/14/11, the U.S. District Court for the Eastern District of Missouri, refused to
dismiss plaintiff’s claim for negligence per se, despite its reliance on HIPAA, and remanded the case to state court. In this case, plaintiff alleged
that defendant made an unauthorized release of certain medical records to plaintiff’s employer, which resulted in harm to the patient. Under Missouri
law, the elements of a claim for “negligence per se” are: 1) a violation of a statute; 2) the injured plaintiff was a member of the class of
persons intended to be protected by the statute; 3) the injury complained of was of the kind the statute was designed to protect; and 4) the violation
of the statute was the proximate cause of injury.
In asserting negligence per se, the plaintiff relied solely on HIPAA to meet the required elements of the claim. Defendant moved to dismiss this claim
in federal court on the basis that HIPAA does not create a private cause of action. However, plaintiff contended that its reference to HIPAA in its
negligence per se action was merely to establish the legal duty of care rather than a means to find a private cause of action under HIPAA, and that the
case should be remanded to state court as it is not a matter of federal subject matter jurisdiction. Ultimately, the court agreed and declined to
dismiss the negligence per se claim, although it did remand the case to state court.
The Washington University case is not the first case to hold that HIPAA may be referenced as a basis for a state law claim. For example, in Acosta v. Byrum, 638 S.E. 2d. 246, 253 (N.C. Ct. App. 2006), the North Carolina Court of Appeals allowed a plaintiff to make an intentional
infliction of emotional distress claim against a psychiatrist by relying on HIPAA. In that case, the psychiatrist allegedly allowed an office manager
to have access to medical records that were used to cause harm to the patient. The plaintiff used HIPAA to establish the standard of care element
required in a claim for negligence. The trial court dismissed the claim stating that HIPAA does not create a private cause of action. However, the
appeals court reversed, not because HIPAA creates a private cause of action, but because the court found it appropriate to use HIPAA as establishing a
standard of care in making claims that the defendant violated a standard of care.
The cases above illustrate the interplay between HIPAA and state law and open the doors to future lawsuits where plaintiffs use HIPAA as a basis for
private claims. The risks of such private causes of action are only expected to increase, particularly with the expanded duties that will be laid out
in the forthcoming final regulations to HIPAA, which are being modified by the 2009 Health Information Technology for Economic and Clinical Health
(HITECH) Act. These final regulations will contain provisions that update HIPAA and extend yet-to-be-finalized health data privacy and security rules
to healthcare entities, including funding for heightened HIPAA enforcement.
Due to the increasing reach and breadth of HIPAA, healthcare providers must ensure strict compliance in order to avoid not only regulatory enforcement
but also individual lawsuits. McGuireWoods serves as counsel to a broad range of healthcare entities covered under HIPAA and can assist with all areas
of HIPAA compliance. For more information on this topic, or for guidance to help ensure compliance, please contact us.