It’s well known to health lawyers — or should be — that HIPAA does not include or create a private cause of action for breach of its requirements. This wasn’t changed with HITECH and the recently issued HITECH Megarule.
It appears, however, that state laws allow individuals to make an end-run around this barrier. The U.S. Supreme Court recently denied certiorari in a West Virginia Supreme Court case which held that “common-law tort claims based upon the wrongful disclosure of medical or personal health information are not preempted by” HIPAA. St. Mary’s Medical Center v. R. K., 735 S.E.2d 715, 723 (2012) cert. den. __ U.S. __ (April 1, 2013). The West Virginia Supreme Court had reversed a state appellate court ruling fact that the state common law claims were preempted because they would provide “remedies under state law that are not permitted by… and are rejected by HIPAA.” Id. at 719.
The West Virginia court cited and acknowledged caselaw holding that HIPAA does not create a private cause of action, but distinguished that line of cases from others holding that HIPAA does not preempt state law actions for disclosure of health or medical information, and cases holding that a HIPAA violation could be the basis for a claim of negligence per se, or that HIPAA sets the standard of care for other types of tort. Id. at 719, 721–24. This case raises an interesting question: does Washington law allow for such a claim?
Negligence Cause of Action for Breach of HIPAA in Washington
Washington’s principal health information protection law, the Health Care Information Act (HCIA), allows an individual to recover “actual damages” only, against a healthcare provider which fails to comply with the Act. RCW 70.02.050. Washington law also allows a patient to pursue a claim against a physician for breach of physician-patient confidentiality under RCW 7.70.030. See Berger v. Sonneland, 26 P.3d 257 (2001). HIPAA must at least be considered as setting a “floor” standard of care for both types of claim, since they would otherwise be preempted.
The St. Mary’s analysis suggests, however, that negligence claims may also be available for breach of HIPAA. Washington law does not make a regulatory violation negligence per se, but RCW 5.40.050 provides that a “breach of duty imposed by statute… or administrative rule… may be considered by the trier of fact as evidence of negligence[.]” In determining whether a statute or regulation establishes a standard of care for such purposes, the courts consider whether regulation protects the class of persons which includes the plaintiff, and the interest which was invaded, against the hazard which occurred and the harm caused by that hazard. See Hansen v. Friend, 118 Wn.2d 476, 479, 824 P.2d 483 (1992).
There is no published Washington case applying HIPAA as the standard of care for a disclosure of information, and I am not aware of any unpublished opinion on the issue. However, a casual analysis of the issue suggests the following:
- HIPAA is clearly intended to protect the interests of all individuals whose protected health information is in the possession of, used, or disclosed by a healthcare provider or health plan (covered entities), as well as any entity acting on their behalf (business associates).
- The protected interest under the Privacy Rule is against any use or disclosure which doesn’t meet the criteria of the Privacy Rule. There is also a protected interest in the protection of electronic information under the Security Rule, and in notification of individuals of breaches under the Breach Notification Rule.
This analysis suggests that in the event of an event constituting a breach of one of these duties — a “hazard” — the only remaining question would be whether the plaintiff had been harmed.
The short answer is that Washington law does allow a cause of action for failure to comply with HIPAA, if that failure causes harm. This cause of action applies to a much broader class of potential defendants than the HCIA and Berger, including not only physicians and other healthcare providers but insurers, benefit plans, administrative and IT services companies, consultants, even law firms acting as business associates. It also includes duties of much broader scope, including not only improper disclosures of information but also its improper use, failure to adequately protect it, and failure to notify individuals if it is breached.
The Health Law Section focuses on the business of health care, state and federal reform, fraud and abuse, antitrust, new modes of health care delivery, insurance issues, and many other concerns.
Read more from the Health Law Section. Join or learn more about the Health Law Section.
John R. Christiansen. John is a Seattle healthcare lawyer who focuses on information technology, privacy and security issues. He’s been doing this since before there was a HIPAA, and is nonetheless unable to prevent his spellchecker from trying to change it to “HIPPA.” John is the newly elected Secretary of the Health Law Section Executive Committee, and looking forward to helping build the Section into a valuable resource for Washington health care lawyers.
John spends as much time as he can on Orcas Island — which, alas, isn’t as much as he’d like – and is currently typing this while sharing a chair with his cute but demanding Pug puppy.
kimberly bell
do i have a case….my husband, after telling my mother that he knew i signed a hippa form stating my doctor is to speak to Noone concerning myself, he mde up lies thus my doctor abruptly stopped prescribing me pain medication after 15 years.
Healthcare Transparency
Has this changed? How do I contact you?
Pingback: So, You Thought HIPAA Didn’t Create a Private Cause of Action? Wrong – and with HITECH It Creates a Hugely Expanded Class of Defendants. « Christiansen IT Law