It’s well known to health lawyers — or should be — that HIPAA does not include or create a private cause of action for breach of its requirements. This wasn’t changed with HITECH and the recently issued HITECH Megarule.
It appears, however, that state laws allow individuals to make an end-run around this barrier. The U.S. Supreme Court recently denied certiorari in a West Virginia Supreme Court case which held that “common-law tort claims based upon the wrongful disclosure of medical or personal health information are not preempted by” HIPAA. St. Mary’s Medical Center v. R. K., 735 S.E.2d 715, 723 (2012) cert. den. __ U.S. __ (April 1, 2013). The West Virginia Supreme Court had reversed a state appellate court ruling fact that the state common law claims were preempted because they would provide “remedies under state law that are not permitted by… and are rejected by HIPAA.” Id. at 719.
The West Virginia court cited and acknowledged caselaw holding that HIPAA does not create a private cause of action, but distinguished that line of cases from others holding that HIPAA does not preempt state law actions for disclosure of health or medical information, and cases holding that a HIPAA violation could be the basis for a claim of negligence per se, or that HIPAA sets the standard of care for other types of tort. Id. at 719, 721–24. This case raises an interesting question: does Washington law allow for such a claim?
Negligence Cause of Action for Breach of HIPAA in Washington
Washington’s principal health information protection law, the Health Care Information Act (HCIA), allows an individual to recover “actual damages” only, against a healthcare provider which fails to comply with the Act. RCW 70.02.050. Washington law also allows a patient to pursue a claim against a physician for breach of physician-patient confidentiality under RCW 7.70.030. See Berger v. Sonneland, 26 P.3d 257 (2001). HIPAA must at least be considered as setting a “floor” standard of care for both types of claim, since they would otherwise be preempted.
The St. Mary’s analysis suggests, however, that negligence claims may also be available for breach of HIPAA. Washington law does not make a regulatory violation negligence per se, but RCW 5.40.050 provides that a “breach of duty imposed by statute… or administrative rule… may be considered by the trier of fact as evidence of negligence[.]” In determining whether a statute or regulation establishes a standard of care for such purposes, the courts consider whether regulation protects the class of persons which includes the plaintiff, and the interest which was invaded, against the hazard which occurred and the harm caused by that hazard. See Hansen v. Friend, 118 Wn.2d 476, 479, 824 P.2d 483 (1992).
There is no published Washington case applying HIPAA as the standard of care for a disclosure of information, and I am not aware of any unpublished opinion on the issue. However, a casual analysis of the issue suggests the following:
- HIPAA is clearly intended to protect the interests of all individuals whose protected health information is in the possession of, used, or disclosed by a healthcare provider or health plan (covered entities), as well as any entity acting on their behalf (business associates).
- The protected interest under the Privacy Rule is against any use or disclosure which doesn’t meet the criteria of the Privacy Rule. There is also a protected interest in the protection of electronic information under the Security Rule, and in notification of individuals of breaches under the Breach Notification Rule.
This analysis suggests that in the event of an event constituting a breach of one of these duties — a “hazard” — the only remaining question would be whether the plaintiff had been harmed.
The short answer is that Washington law does allow a cause of action for failure to comply with HIPAA, if that failure causes harm. This cause of action applies to a much broader class of potential defendants than the HCIA and Berger, including not only physicians and other healthcare providers but insurers, benefit plans, administrative and IT services companies, consultants, even law firms acting as business associates. It also includes duties of much broader scope, including not only improper disclosures of information but also its improper use, failure to adequately protect it, and failure to notify individuals if it is breached.