I am asked that question almost weekly. While the answer has traditionally been “no,” the legal landscape is shifting and the risk of being sued continues to increase.
Let’s first start with some background. As some of you may know, HIPAA does not include a “private right of action.” This means that an individual may not file a claim against a covered entity or a business associate in order to enforce HIPAA or seek damages in response to a HIPAA violation. For example, a patient is not able to sue a dentist if the dentist fails to distribute a Notice of Privacy Practices or enter into a business associate agreement. The sole remedy of an aggrieved individual is to file a complaint with the United States Department of Health and Human Services Office for Civil Rights (“OCR”) or, more recently, with a state Attorney General. In addition, in some states, individuals have been able to file complaints regarding generalized privacy concerns with various state regulatory agencies, such as a state health or consumer protection department. With respect to OCR, notification of the right to file a complaint and the process for doing so is generally set forth in a covered entity’s Notice of Privacy Practices.
Since HIPAA was enacted, the lack of a private right of action has provided solace to covered entities and business associates, particularly since complaints tend to be few in number. Moreover, OCR investigations of complaints have often resulted in compliance agreements and consent orders, rather than court actions or civil damages, both of which would require the covered entity or business associate to expend considerable sums on attorney fees, court costs and payment of damages.
While there is no hint at this time that Congress is contemplating including a private right of action in HIPAA (i.e. allowing individuals to sue to enforce HIPAA), aggrieved patients and their counsel have been finding other ways to file claims for HIPAA violations and use HIPAA violations as the basis for seeking monetary damages. For example, in some states, patients have filed suit against health care providers on the grounds of negligence – claiming that the provider was negligent when violating HIPAA and thus must be held liable for damages. A recent example from Connecticut illustrates the way these lawsuits operate:
A physician received a subpoena for medical records. The physician supplied the medical records as requested by the subpoena; however, the subpoena did not comply with HIPAA. The subject of the medical records sued, alleging that HIPAA creates a “standard of care” for all health care providers and that the failure of the physician to adhere to that standard of care was “negligent.” The physician sought to block the suit but the Connecticut Supreme Court allowed it to continue. As of this date, the lawsuit is making its way through the Connecticut state courts. In addition, lawsuits are currently being prepared and filed in response to the recent Anthem breach and many will be claiming negligence or violation of various state privacy or insurance regulations.
These types of lawsuits would have been unheard of even just a few years ago. However, while still not widespread or common, the emergence of these suits poses significant risk management and liability concerns for any health care provider, health insurance company or vendor subject to HIPAA. The risk of a lawsuit is most pertinent to HIPAA violations which may cause financial, reputational or other harm to a party. Hypothetical examples, based upon real life incidents, include:
- Inappropriate disclosure of medical records in response to a subpoena, which causes a former patient to lose custody of her children.
- Inappropriate disclosure of a child’s medical record to an estranged parent after the health care provider failed to verify the estranged parent’s authority to access records, which leads to the estranged parent to discover where the child now resides.
- Inappropriate use of medical records by hospital staff as part of a “hot or not” game which causes severe embarrassment and distress to certain patients. A negligent attorney and an angry patient could potentially make a claim based upon any of the above and may seek a significant financial settlement or payout.
In light of the potential for such lawsuits and the significant damages that may be awarded, covered entities and business associates should consider reviewing their HIPAA compliance programs to identify weaknesses and institute safeguards and protocols to reduce the likelihood of inappropriate disclosures that may lead to a patient filing suit. Such safeguards may include, based upon the above examples, a subpoena review checklist, verification procedures, a reliable reporting protocol or other procedures to allow the entity or its staff to verify that information is being used and disclosed appropriately.