Recently, Connecticut joined at least nine other states (DE, KY, ME, MN,
MO, NC, TN, UT, WV -- see cases cited in the opinion, linked to below)
in recognizing that, while HIPAA does not create a private right of
action for violation of privacy, it does constitute a standard against
which the actions of a defendant in such a case will be judged. In other
words, if a covered entity or business associate or downstream
contractor releases PHI other than in accordance with HIPAA (i.e., for
treatment, payment or health care operations purposes, or to or at the
direction of the data subject or his or her legal representative), the
breach of the HIPAA rule may be the basis for a finding of a breach of a
duty of care in a state court negligence action.
As the Connecticut Supreme Court observed in its opinion in Byrne v. Avery Ctr. for OB GYN, which was released earlier this week:
[A]ssuming, without deciding, that Connecticut's common law
recognizes a negligence cause of action arising from health care
providers' breaches of patient privacy in the context of complying with
subpoenas, we agree with the plaintiff and conclude that such an action
is not preempted by HIPAA and, further, that the HIPAA regulations may
well inform the applicable standard of care in certain circumstances . .
. .
[T]o the extent it has become the common practice for Connecticut
health care providers to follow the procedures required under HIPAA in
rendering services to their patients, HIPAA and its implementing
regulations may be utilized to inform the standard of care applicable to
such claims arising from allegations of negligence in the disclosure of
patients' medical records . . . .
The court also found that an action under state law was not
pre-empted by HIPAA. In other words, the HIPAA standard of care may be
used to judge the actions of the covered entity but that does not mean
that HIPAA bars an individual from seeking redress for a breach under
state law.
What does this mean for covered entities, business associates and
downstream contractors? It is yet another reminder that exposure for
violations of standards of care and conduct embodied in HIPAA
regulations is not limited to indemnification clauses in business
associate agreements or audits or enforcement actions brought by the OCR or a state attorney general. A data subject may bring suit if a covered entity, business associate or downstream contractor experiences a breach.
The Connecticut case involved responding to a subpoena. There are specific HIPAA rules about responding to subpoenas,
and the provider in this case likely should have provided notice to the
data subject and an opportunity to quash. The breach was not the result
of an outside hack -- it was apparently the result of inadequate
policies and procedures, and/or staff training, at a covered entity.
Other cases could involve breaches in other contexts. For example, a social media posting including PHI
could be the basis of a state law claim, not just a complaint filed
with OCR. And in fact, it is likely that the plaintiff bar will begin
filing OCR complaints as part of their case preparation in breach of
privacy matters; an OCR finding of a HIPAA violation could obviate the
need for a trial on liability in a state court breach of privacy case --
the case would go straight to a trial or settlement discussions on the
amount of the damages.
At one end of the spectrum, the liability under a state law claim may
run into the hundreds of millions of dollars. (Consider the Johns Hopkins settlement;
while not a HIPAA case, it provides a sense of the monetary damages
that may be incurred through lax attitudes towards privacy.)
I urge covered entities, business associates and downstream
contractors to take these lessons to heart and redouble their compliance
efforts accordingly.
David Harlow
The Harlow Group LLC
Health Care Law and Consulting
photo: Flickr cc caliorg
This post originally appeared at HealthBlawg, my award-winning blog
You should follow me on Twitter