Can A HIPAA Violation Give Rise to a Private Cause of Action?

Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to maintain the confidentiality of patients’ medical records and other protected health information.

If an entity violates HIPAA, the Department of Health and Human Services may impose a civil or criminal penalty against the violator. But what if the HIPAA violation causes calculable harm? Can a person or entity sue for a HIPAA violation?

Generally, no. HIPAA does not give a person or entity the right to file a lawsuit based on a HIPAA violation. However, recent cases may offer a new twist on an old rule.

In 2006’s Acosta v. Byrum, the plaintiff, Heather Acosta, used the privacy and security provisions of HIPAA to establish the standard of care owed by a defendant, Dr. David Faber, with regard to Acosta’s medical records.

Acosta was an employee and a patient of Dr. Faber’s at Psychiatric Associates of Eastern Carolina. Another defendant, Robin Byrum, was the office manager at Psychiatric Associates. According to Acosta, Byrum disliked her. Acosta claimed that Dr. Faber improperly allowed Byrum to use Dr. Faber’s medical record access code numerous times, and that while using Dr. Faber’s medical record access code, Byrum retrieved Acosta’s confidential psychiatric and medical records.

Acosta alleged that Byrum then provided information contained in Acosta’s medical records to third parties without Acosta’s consent.

Acosta filed suit in North Carolina state court against Dr. Faber and Byrum, alleging invasion of privacy and emotional distress. Acosta claimed that Dr. Faber violated HIPAA by breaching his duty to maintain confidentiality of her medical records by allowing Byrum to use his access code to retrieve Acosta’s records.

The court noted that Acosta did not bring a claim under HIPAA itself, but simply used HIPAA to establish the “duty of care owed by Dr. Faber with regard to the Privacy of the plaintiff’s medical records.” The court further noted that Acosta stated in her complaint that, when Dr. Faber provided his medical access code to Byrum, Dr. Faber violated the rules and regulations established by HIPAA.

The court reasoned that this allegation did not state a cause of action under HIPAA because Acosta merely cited HIPAA as evidence of the appropriate standard of care, which is a necessary element of negligence. Because Acosta did not sue Dr. Faber for violating HIPAA and simply used HIPAA to establish the standard of care, Acosta was not precluded from bringing her claim.

A recent case, Hinchy v. Walgreen Co., also examined the use of HIPAA as evidence of the standard of care for a pharmacist’s duty of confidentiality and privacy in regards to private patient information. In Hinchy, the defendant, Audra Peterson worked as a pharmacist at the Walgreens which plaintiff, Abigail Hinchy, used as her sole pharmaceutical provider.

Peterson learned that her husband, Davion Peterson had been having an affair with Hinchy, which resulted in the birth of a child.

Hinchy demanded Davion pay child support, which he refused to do. To assist Davion in avoiding the payment of child support, Peterson accessed Hinchy’s patient information through the Walgreen’s computer system and reviewed Hinchy’s prescription history.

Peterson then divulged the contents of Hinchy’s prescription history to Davion, who then informed Hinchy that he had seen her records. Hinchy subsequently filed suit against Walgreens and Peterson claiming breach of confidentiality and privacy. Hinchy claimed that Peterson’s actions fell below the standard of care provided by HIPAA, and that Walgreen’s was liable since Hinchy’s records were accessed under the scope of Peterson’s employment.

The jury found for Hinchy and awarded her $1.44 million in damages, making it the first case where substantial damages were awarded in which HIPAA was used as evidence of the standard of care.

To recap, individuals do not have a private right to sue covered entities for violations of HIPAA. However, individuals have found a way to circumvent this preclusion by filing causes of action in state courts.

In Acosta and Hinchy, state courts have allowed plaintiffs to use HIPAA as a standard for the measurement of the duty to maintain confidentiality in negligence, privacy, and professional liability cases. Due to the broadness of state tort laws pertaining to negligence and privacy and the substantial damages awarded in Hinchy, covered entities should re-evaluate their HIPAA compliance program and ensure mechanisms are in place to safeguard against violations of HIPAA.

Edward L. Vishnevetsky, an associate at Munsch Hardt, focuses on health law and commercial litigation. 

Posted in Expert Opinions.