Anyone working in the health care industry is intimately familiar with the Health Insurance Portability and Accountability Act of 1996, better known as “HIPAA.” Generally, the purpose of HIPAA is to establish minimum federal standards for protecting the privacy of protected health information (“PHI”). While it is widely understood that health plans, healthcare clearinghouses, and health care providers are potentially subject to HIPAA regulation at the federal level for maintaining patient privacy, what may be less intuitive is how the patient privacy standard of care established under HIPAA applies to a private right of action.
Only the U.S. Department of Health & Human Services Office for Civil Rights (“HHS”) and the state attorneys general can enforce HIPAA violations. As a result, HIPAA lacks a private right of action. This means that an individual whose PHI has been used or disclosed by a health care provider in violation of HIPAA may not bring a civil claim against the provider under HIPAA. HIPAA also preempts state privacy laws that are contrary to HIPAA, the exception being when a state law is “more stringent” than HIPAA regarding privacy protection.
With data breaches becoming increasingly common, individuals have attempted to circumvent HIPAA’s lack of individual enforcement power by bringing negligence claims under state law based on violations of HIPAA. Using HIPAA as the patient privacy standard of care in negligence cases is beginning to look more like the equivalent of a private right of action under HIPAA, which HIPAA does not allow. This essentially means that a violation of the HIPAA rules may be used to establish that a health care provider has breached the duty of care owed to a patient under state law negligence claims relating to the improper disclosure of patient PHI. As a result, health care providers should understand that a HIPAA violation may result in a variety of state law claims.
Perhaps even more alarming than the attempted private right of action as a HIPAA workaround is the recent trend of state courts both finding in favor of the plaintiffs bringing the private rights of action, as well as finding that HIPAA violation claims can be brought at the state level. In California, a medical center found itself at the center of a major data attack, with 4.5 million patients affected by the breach. After suspecting suspicious activity on its network, it contacted the FBI for help. Although it took close to 9 months to notify the patients of the breach, HHS ultimately found that the medical center followed appropriate protocol and was satisfied with the health system’s post-breach efforts to improve security. Despite the findings by HHS, a California state court found that the medical center failed to notify its patients of a data breach in a timely manner and awarded a settlement of $7.5 million in favor of patients who had filed the class-action suit.
The Arizona Court of Appeals also added to a number of courts across several states holding that HIPAA may define the standard of care for state law claims. The claim before the Arizona Court of Appeals alleged a privacy violation by a Costco pharmacist when the pharmacist verbally joked about one man’s erectile dysfunction medication to the man’s ex-wife. The long and short of it is, the Arizona Court of Appeals ruled that negligence claims using HIPAA as the patient privacy standard of care could be brought against Costco in Arizona courts.
While data breaches occur in virtually every state, health care providers in Texas have the added burden that the state has led the country in total hacking breaches reported to HIPAA for four of the past five years. In light of other rulings similar to California and Arizona, it is no surprise that Texas hospitals have been devoting more resources to cyber security. The added protection seems to be working. Data shows that despite Texas often being in the top two for total hacking attempts over the past five years, it is further down the list when it comes to individual records actually breached.
Since it is becoming increasingly common for state courts to find HIPAA as the patient privacy standard of care for private rights of action, health care providers should re-evaluate, establish, and enforce HIPAA compliance and training programs within their organizations. Otherwise, not safeguarding against HIPAA violations could result in substantial penalties against an organization.
If you have any questions on compliance with HIPAA, please schedule a consult at firstname.lastname@example.org.