Case Law Update: Just Because HIPAA Does Not Provide a Private Right of Action, Doesn't Mean that Other Avenues Exist

August 4th, 2017 - NAMAS
Categories:   Audits/Auditing   HIPAA|PHI  

Case Law Update: Just Because HIPAA Does Not Provide a Private Right of Action, Doesn't Mean that Other Avenues Exist

Simply stated, the Health Information Portability and Accountability Act (HIPAA) does not provide a private cause of action[1]. And, prior to the 2009 passage of the Health Information Technology for Economic and Clinical Health Act (HITECH Act)[2] and the more robust chain of liability (e.g. covered entities, business associates and subcontractors) under the Breach Notification Rule, several courts had held this notion to be true.[3]

Over the past decade, a shift has occurred where state and federal courts are holding that healthcare providers who breach HIPAA and other cybersecurity provisions may be pursued for a variety of common law claims including: negligence, emotional distress, breach of confidentiality, invasion of privacy, contract violations, and punitive damages.[4] The premise for bringing a cause of action for privacy violations stems from the fundamental source of American jurisprudence - the United States Constitution.
In re Columbia Valley Regional Medical Center, 41 S.W.3d 797, 802 (2001) established that, "there is a constitutional right of privacy in this case. Apart from any statutory or evidentiary privileges that apply, the medical records of an individual have been held to be within the zone of privacy protected by the United States Constitution."
See In re Xeller, 6 S.W.3d 618, 625 (Tex. App. - Houston [14th.] 1999, orig. proceeding) (citing Alpha Life Ins. Co. v. Gayle, 796 S.W.2d 834, 836 (Tex. App. - Houston [14th Dist.] 1990 no writ).

Recent cases that uphold this motion include:

  • Byrne v. Avery Center for Obstetrics and Gynecology SC 18904 (Nov. 11, 2014) - A patient advised her doctor not to provide any information to her significant other because of a paternity suit. The significant other's attorney issued a subpoena and the health center, instead of alerting the patient or fighting the subpoena, simply handed over the records. The Connecticut Supreme Court held that HIPAA does not preempt against negligence claims and may be utilized in establishing the applicable standard of care.
  • Acosta v. Byrum, 638 S.E.2d 246 (N.C. Ct. App. 2006) - A patient was treated by a physician who gave his access code to a third party, who in turn, viewed his records. The North Carolina Court of Appeals held that a privacy violation based on HIPAA violations was not a malpractice claim, so no expert certification was necessary; and HIPAA may be utilized in establishing the applicable standard of care.
  • John Smith v. Arvind R. Datla, et al., Case No. A-1339-16T3 (Superior Court of New Jersey Appellate Division (Jul 12, 2017) - The judge kept alive a suit accusing a physician for disclosing a patient's HIV status without the patient's consent to an unauthorized third party.

These cases underscore the importance of compliance with HIPAA and the HITECH Act. Actions brought by the Federal Trade Commission, class action law suits and Securities and Exchange Commission requirements were not discussed. The take-away is that HIPAA, the HITECH Act, and other cybersecurity violations can and do form the basis of a wide variety of causes of action. Therefore, underscoring the need to be proactive instead of reactive.

This Week's Audit Tip Written By:

Rachel V. Rose, JD, MBA
Rachel V. Rose, Attorney at Law, PLCC

Rachel V. Rose, JD, MBA, is a Houston, TX-based attorney advising on federal and state compliance and areas of liability associated with a variety of healthcare, legal and regulatory issues including: HIPAA, the HITECH Act, the False Claims Act, Medicare issues, women's health as well as corporate and security regulations.


Article Resources:
[1] 42 USC § 1320d (1996).
[2] Pub. L. 111-5, Sec. 13001 (Feb. 17, 2009).
[3]Valentin-Munoz v. Island Fin. Corp., 364F. Supp. 2d 131, 136 (D. Puerto Rico 2005);
Univ. of Co. Hosp. Auth v. Denver Publ'g Co., 340F. Supp. 2d 1142, 1145-46 (D. Colo. 2004).
[4] R.K. v. St. Mary's Medical Center, 2012 WL 5834577 (WV S.Ct. (Nov. 15, 2012), cert. denied.

NAMAS is setting the standards in medical auditing & education    

The NAMAS team and faculty work hard to bring you membership resources, products, tools, and training that is not only timely and specific to medical auditing and compliance, but also that is     specific to the needs of medical practices today. NAMAS staff are industry recognized experts who provide audits and consulting services to active clients which gives NAMAS the cutting edge to provide relevant training.

Namas

###

Questions, comments?

If you have questions or comments about this article please contact us.  Comments that provide additional related information may be added here by our Editors.


Latest articles:  (any category)

Artificial Intelligence in Healthcare - A Medical Coder's Perspective
December 26th, 2023 - Aimee Wilcox
We constantly hear how AI is creeping into every aspect of healthcare but what does that mean for medical coders and how can we better understand the language used in the codeset? Will AI take my place or will I learn with it and become an integral part of the process that uses AI to enhance my abilities? 
Specialization: Your Advantage as a Medical Coding Contractor
December 22nd, 2023 - Find-A-Code
Medical coding contractors offer a valuable service to healthcare providers who would rather outsource coding and billing rather than handling things in-house. Some contractors are better than others, but there is one thing they all have in common: the need to present some sort of value proposition in order to land new clients. As a contractor, your value proposition is the advantage you offer. And that advantage is specialization.
ICD-10-CM Coding of Chronic Obstructive Pulmonary Disease (COPD)
December 19th, 2023 - Aimee Wilcox
Chronic respiratory disease is on the top 10 chronic disease list published by the National Institutes of Health (NIH). Although it is a chronic condition, it may be stable for some time and then suddenly become exacerbated and even impacted by another acute respiratory illness, such as bronchitis, RSV, or COVID-19. Understanding the nuances associated with the condition and how to properly assign ICD-10-CM codes is beneficial.
Changes to COVID-19 Vaccines Strike Again
December 12th, 2023 - Aimee Wilcox
According to the FDA, CDC, and other alphabet soup entities, the old COVID-19 vaccines are no longer able to treat the variants experienced today so new vaccines have been given the emergency use authorization to take the place of the old vaccines. No sooner was the updated 2024 CPT codebook published when 50 of the codes in it were deleted, some of which were being newly added for 2024.
Updated ICD-10-CM Codes for Appendicitis
November 14th, 2023 - Aimee Wilcox
With approximately 250,000 cases of acute appendicitis diagnosed annually in the United States, coding updates were made to ensure high-specificity coding could be achieved when reporting these diagnoses. While appendicitis almost equally affects both men and women, the type of appendicitis varies, as dose the risk of infection, sepsis, and perforation.
COVID Vaccine Coding Changes as of November 1, 2023
October 26th, 2023 - Wyn Staheli
COVID vaccine changes due to the end of the PHE as of November 1, 2023 are addressed in this article.
Medicare Guidance Changes for E/M Services
October 11th, 2023 - Wyn Staheli
2023 brought quite a few changes to Evaluation and management (E/M) services. The significant revisions as noted in the CPT codebook were welcome changes to bring other E/M services more in line with the changes that took place with Office or Other Outpatient Services a few years ago. As part of CMS’ Medicare Learning Network, the “Evaluation and Management Services Guide” publication was finally updated as of August 2023 to include the changes that took place in 2023. If you take a look at the new publication (see references below),....



Home About Terms Privacy

innoviHealth® - 62 E 300 North, Spanish Fork, UT 84660 - Phone 801-770-4203 (9-5 Mountain)

Copyright © 2000-2024 innoviHealth Systems®, Inc. - CPT® copyright American Medical Association