Private right of action: four little words that have the capacity to rock the world of health information privacy and by extension the entire field of healthcare. Private right of action refers to the ability of a private individual to bring a civil suit on the grounds of a violation of a particular law. HIPAA doesn’t currently allow individuals private right of action, meaning; if your rights under HIPAA are violated your only recourse is to make a complaint to the Office of Civil Rights (OCR) and hope that they audit the organization that infringed your rights.
This has never been a popular state of affairs with patients who felt as if they’d been wronged and the lawyers eager to represent them. Over the last several years those lawyers have been testing the boundaries of what HIPAA’s lack of a private right to action means. Cases have been popping up all over the US that employ various routes to circumvent the federal statute via state common law. The facets of state law used as so far are: breach of confidentiality/privacy and negligence. Here are some key examples of how each of these facets have been successfully used in civil suits:
Privacy tort has been in the news most recently due to a decision handed down last month by the New Jersey Supreme Court. In this case a patient sued a doctor and his medical practice for invasion of privacy and several other claims after the doctor allegedly discussed the patient’s HIV status with an unnamed third party. When the defense moved to dismiss due to the fact that HIPAA does not allow private right of action, the New Jersey Supreme Court ruled that the case could proceed on the grounds that it was being pursued under state invasion of privacy tort, rather than HIPAA itself.
As so far, using state negligence law has been the most common route to pursuing legal recourse in the event the violation of individual’s rights to privacy. This route is best exemplified by a recent ruling by the Connecticut Supreme Court. The plaintiff sued an OB GYN center for negligence after receiving care there. In addition to being informed that her information would not be shared with anyone, she specifically asked that her information not be given to a former romantic partner. Said ex-partner then filed a paternity suit and subpoenaed the OB GYN center for the plaintiff’s information. The center compiled and the ex-partner promptly used that information to extort the plaintiff. The center also moved to dismiss based on the fact that HIPAA doesn’t allow private right of action. The court ruled that, while it doesn’t provide a private right of action, it does set a standard of care. This is akin to saying that HIPAA sets the bar for deciding whether or not healthcare providers are being negligent. If they are in compliance with HIPAA they’re above that bar; if not, they’re below it and open to a negligence civil suit.
Walgreens was forced to pay out $1.44 million in a HIPAA related negligence case. HIPAA violations can already result in steep fines from the OCR. If these cases become class action lawsuits, the amounts involved could grow exponentially with $1.44 million serving as a base value. The amounts involved may make OCR fines seem like child’s play.
There is some silver lining to these cases, in a negligence suit, the plaintiff must prove that they sustained damages due to the actions of the defendant. The HIPAA has no such strictures, so something that warrants an audit or penalty under HIPAA may not invoke civil suits.
Propublica recently conducted an investigation and found that small breaches are actually substantially more likely to cause harm than the large splashy breaches that get press attention. This is good and bad news. Good because it means class action lawsuits involving millions of people are less likely. Bad because the small breaches are usually due to administrative reasons; reasons that are often given short shrift when covered entities are updating their HIPAA compliance.
Don’t assume that just because it hasn’t happened in your state, it won’t happen to you. Over 10 states have already approved cases using HIPAA as a standard. The West Virginia Supreme Court decided that a negligence case could continue based simply on the fact that so many other states have already set a precedent. Decisions like that can have a snowball effect and soon enough there may be present in all 50 states.
What can I do?:
The single most important thing you can do is follow all HIPAA compliance recommendations. Covered entities, particularly large organizations, often focus their energy on the Security Rule instead of the Privacy Rule. The Privacy Rule should not be ignored. It contains the administrative safeguards and employee training requirements that will keep you safe from negligence suits.
Use access auditing software, such as the package offered by Maize Analytics. Even with the best of training, you can’t guarantee that employees will abide by it. Access auditing software will ensure that you are alerted if an employee attempts to access information that is outside of the care they’re providing, significantly reducing the risk of inappropriate exposures.