Affirmed: No Individual Private Right of Action Under HIPAA

June 21, 2018

In holding with long-established precedent, a federal judge held on June 15 that the Health Insurance Portability and Accountability Act (HIPAA) does not provide a private cause of action for individuals who believe their rights have been violated under the statutory scheme.

In an action against Labcorp, plaintiff Hope Lee-Thomas claimed that during a visit to a Washington, D.C., hospital, her protected health information (PHI) was in plain sight of other individuals and, thus, her patient privacy rights under HIPAA were violated. The judge rejected the claim, stating that while HIPAA provides both civil and criminal penalties for improperly handled or disclosed PHI, the statutory language clearly limits enforcement to actions by the Department of Health and Human Services (HHS) and states’ attorneys general. The opinion cites cases from a number of federal circuits, including Acara v. Banks, 470 F.3d 569, 571–72 (5th Cir. 2006), which stated, “Every district court that has considered this issue is in agreement that the statute does not support a private right of action.”

Lee-Thomas received treatment from LabCorp during a visit to Providence Hospital in Washington, D.C., in June 2017. She was instructed to input medical information into a computer intake station, and she believed the computer screen could be seen by a patient using another computer intake station nearby. Once she noticed the proximity of other patients to the intake station, she photographed the stations and notified a Labcorp employee. Shortly after the incident, Lee-Thomas sent a letter to Providence Hospital and a complaint to HHS describing the potential HIPAA violations. She later filed another complaint with the District of Columbia Office of Human Rights (OHR) related to the violations, claiming that Labcorp’s possible HIPAA violations constituted a failure to make “proper public accommodations” for patients.

HHS dismissed Lee-Thomas’s complaint for failure to state a claim, and OHR suggested she bring the claim in the Superior Court of the District of Columbia, which she later proceeded to do. Labcorp removed the case to the U.S. Court of Appeals for the District of Columbia Circuit and filed a motion to dismiss for failure to state a claim on the grounds that HIPAA does not provide a private right of action. Judge Rudolph Contreras agreed with Labcorp and granted the motion to dismiss, citing HIPAA’s lack of private right of action and also Lee-Thomas’s failure to respond to Labcorp’s motion.

While this case makes it clear that individuals cannot bring a case based solely on violations of HIPAA, claims related to privacy of health information may still be viable under state law. Certain states have privacy laws creating private causes of action in tort or negligence. So, while an individual plaintiff bringing claims for violations of HIPAA almost certainly will fail in federal court, healthcare providers are not necessarily off the hook for liability to individuals for health information privacy violations.