Gazelle Consulting

HIPAA and Private Right of Action

Private right of action: four little words that have the capacity to rock the world of health information privacy and by extension the entire field of healthcare.

HIPAA Private Right of Action (or Lack Thereof)

Private right of action refers to the ability of a private individual to bring a civil suit on the grounds of a violation of a particular law.

HIPAA doesn’t currently allow individuals private right of action. This means if your rights under HIPAA are violated, your only recourse is to make a complaint to the Office of Civil Rights (OCR) and hope that they audit the organization that infringed your rights.

This has never been popular with patients who felt as if they’d been wronged and the lawyers eager to represent them. Over the last several years, those lawyers have been testing the boundaries of what HIPAA’s lack of a private right to action means.

Cases attempting to circumvent the federal statute via state common law have been popping up all over the US . The facets of state law used as so far include breach of confidentiality/privacy and negligence.

Cases Overcoming HIPAA’s Lack of Private Right of Action

A tort is a wrong or injury caused by an individual for which the victim can seek compensation. Privacy torts allow individuals to sue for violations of their privacy.

Privacy torts have been in the news most recently due to a decision handed down last month by the New Jersey Supreme Court. In this case, a patient sued a doctor and his medical practice for invasion of privacy and several other claims after the doctor allegedly discussed the patient’s HIV status with an unnamed third party. When the defense moved to dismiss due to the fact that HIPAA does not allow private right of action, the New Jersey Supreme Court ruled that the case could proceed on the grounds that it was being pursued under state invasion of privacy tort, rather than HIPAA itself.

So far, using state negligence law has been the most common route to pursuing legal recourse in the event the violation of individual’s rights to privacy.

This route is best exemplified by a recent ruling by the Connecticut Supreme Court. The plaintiff sued an OB GYN center for negligence after receiving care there. In addition to being informed that her information would not be shared with anyone, she specifically asked that her information not be given to a former romantic partner. Said ex-partner then filed a paternity suit and subpoenaed the OB GYN center for the plaintiff’s information. The center complied, and the ex-partner promptly used that information to extort the plaintiff.

The center also moved to dismiss based on the fact that HIPAA doesn’t allow private right of action. The court ruled that, while it doesn’t provide a private right of action, it does set a standard of care. This is akin to saying that HIPAA sets the bar for deciding whether or not healthcare providers are being negligent. If they are in compliance with HIPAA they’re above that bar; if not, they’re below it and open to a negligence civil suit.

Implications of Standard of Care and Negligence Cases

Takeaways

  • The single most important thing you can do is follow all HIPAA compliance recommendations. Covered entities, particularly large organizations, often focus their energy on the Security Rule instead of the Privacy Rule. The Privacy Rule should not be ignored. It contains the administrative safeguards and employee training requirements that will keep you safe from negligence suits.
  • Use access auditing software, such as the package offered by Maize Analytics. Even with the best of training, you can’t guarantee that employees will abide by it. Access auditing software will ensure that you are alerted if an employee attempts to access information that is outside of the care they’re providing, significantly reducing the risk of inappropriate exposures.

Does all this talk of compliance give you HIPAA-anxiety? Gazelle Consulting is here to help!

Although we are a lion-free workplace, we can help your compliance journey feel like a walk through a grassy savanna. Give us a call today at (503) 389-5666 or email us at info@gazelleconsulting.org.

Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest

Popular Posts

  • 2018’s Most Interesting HIPAA Violation Cases

    2018’s Most Interesting HIPAA Violation Cases

    Since the 2003, the Enforcement Act, an addendum to HIPAA that gave the OCR the right to enforce HIPAA on behalf of the HHS, we’ve seen an ever increasing number of fines and breaches.

  • The Specter of HIPAA Enforcement

    Who Enforces HIPAA?

    HIPAA, which stands for the Health Insurance Portability and Accountability Act, is enforced by the Office for Civil Rights (OCR), which is an arm of the Department of Health and Human Services (HHS).

  • How to Handle the Loss or Destruction of Medical Records

    Whether it be an delete happy IT admin, a theft, or a glitch in your system, lost health records can have an impact on your patients...

  • Stronger HIPAA enforcement

    HIPAA Consent Form – How to Obtain HIPAA Authorization

    Earlier this month, the Office for Civil Rights (OCR) announced a new plan to strengthen HIPAA enforcement in response to criticism from the Office of Inspector General (OIG). The OCR will be beefing up their compliance investigations and expanding their audit program in 2016.

  • What is the Purpose of HIPAA?

    What is the Purpose of HIPAA?

    HIPAA compliance can be confusing. Is it HIPAA or HIPPA? Do I need to be HIPAA compliant? Who enforces HIPAA? Gazelle Consulting is here to answer your questions and help you to achieve compliance quickly and painlessly!