When it enacted HIPAA, the Department of Health and Human Services (HHS) chose to use a “carrot” rather than “stick” approach to enforcing the law. Penalties have been given for major breaches, but aside from that, there is little financial skin in the game for providers. At least until now.
When a provider wrongfully discloses protected health information, HIPAA does not provide patients with a legal remedy other than reporting the incident to HHS. But courts have begun to look at the issue differently, ruling, in some cases, that providers can be sued under state rules pertaining to privacy and negligence for breaches.
“Courts are beginning to say that just because the federal government didn’t give a remedy, it shouldn’t preclude patients from bringing a suit in states,” said Chad Eckhardt, a member in the regulated business group at Frost Brown Todd in Cincinnati, Ohio.
Recourse at the state level
It was a 2014 Supreme Court decision in Connecticut that set a precedent allowing providers to be sued for HIPAA violations. A patient filed a lawsuit against her obstetrician when the provider mailed her medical records to a court in response to a subpoena related to paternity suit filed by her ex. She was not informed of the subpoena by her provider and she filed for negligence, negligent emotional distress, breach of contract, and negligent misrepresentation as to the safety of her records. Although originally dismissed, her case ended up at the state supreme court, which ruled that her case stated a claim for which relief may be granted and remanded it for trial.
There are numerous torts for which individuals can seek redress for personal injury, but some are not suitable for filing lawsuits related to HIPAA violations. Two such torts are invasion of privacy and public disclosure of private facts, Eckhardt said. Plaintiffs have to prove damages. Those torts rarely result in physical damage, so plaintiffs have to prove mental or emotional distress. Courts, he said, are reluctant to provide a remedy for non-physical damage under torts.
Negligence is another category that requires plaintiffs to prove damages. Under this tort, physicians can be considered negligent because they did not comply with a standard of conduct (HIPAA). “If the federal government says this is the minimum standard of confidentiality and you don’t meet those minimum standards, you are negligent as a matter of fact,” Eckhardt said.
Breach of contract is another option for plaintiffs, though the damages are much less than with a tort, Eckhardt said. Some states, like Ohio and West Virginia, have also created torts specifically for the unauthorized disclosure of medical records.
“More states are creating this tort for unauthorized released of records and if they don’t have one, courts are going to try to find a remedy for harm done if there is actual damage to an individual,” Eckhardt said.
A case out of Indiana was the first to show that employers can be held accountable for their staffs’ HIPAA violations. A patient sued Walgreens and one of its pharmacists when she found out the pharmacist had looked up and released medical records to the plaintiff’s ex-boyfriend. The pharmacist was currently married to the woman’s ex, to whom she provided prescription information. The woman won $1.4 million in damages, holding Walgreens accountable for the employees’ breach of confidentiality under HIPAA for reasons including negligent supervision.
Physicians need to ensure they are training all employees upon hiring them and annually thereafter, he said. Consistent training can help a provider prove they have not been negligent in supervision of their employees and reduce their liability.
As part of training, the importance of caring for hyper-sensitive information like HIV status and mental health conditions should be emphasized. In addition, practices need to review office processes to determine where people can get tripped up. For example, if a subpoena is received, what should employees at each level do with the request?
“Courts are going to try to find a remedy for harm done if there is actual damage to an individual,” Eckhardt said. “Courts are allowing awards for individuals, especially for hypersensitive information because it is so stigmatizing.”