HIPAA Violation? Sue Me
This is a true story that occurred recently in Indiana. Failing to collect payment for treatment, a medical group sent a patient to collections. In providing the unpaid bills to the collections attorney, practice staff failed to redact sensitive information. When the attorney filed the bills with the court as part of his collection action, the patient’s positive HIV status became public record.
The patient sued the practice and won. The jury awarded $1.25 million in damages.
As a case of wrongful disclosure this one seems pretty open-and-shut. But how exactly did the patient and his attorney proceed? Under which of the following did the patient bring action:
- HIPAA privacy rule
- HIPAA security rule
- HITECH breach notification rule
- Indiana Medical Malpractice Act
The patient sued the practice and won under the Indiana Medical Malpractice Act.
Why not HIPAA? Because he could not.
The case is a good reminder that although HIPAA sets a standard for an individual’s privacy rights it does not provide a private right of action, says Nicholas K. Lagina, an attorney with Krieg DeVault, based in Indiana.
When it comes to HIPAA violations, the patient is limited to filing complaints with appropriate governmental agencies, such as the Office for Civil Rights, he says. Other sources of law must form the basis of a lawsuit.
Common Law and the Theory of Negligence
Individuals facing what they believe to be a wrongful use or disclosure often fall back on traditional common law tort principles, according to Lagina.
“Typically claims are brought under some sort of claim of negligence, violation of privacy rights, or invasion of privacy,” he says. “You also see providers face allegations of negligent or intentional infliction of emotional distress, or even allegations of things such as defamation.”
Negligence is a tort concept available in every state, and it is broad enough to cover many types of actions.
In essence, negligence is the concept that someone had a duty to someone else, the duty was breached, and the breach resulted in an injury. “If you can show all those elements,” Lagina says, “you can fit all kinds of causes of actions underneath the theory of negligence.”
In some states, consumer protection laws and data breach laws also can provide a cause of action for privacy complaints such as wrongful disclosure.
Will Insurers Push Back?
The Indiana case is interesting for another reason, Lagina says. Cases like this may change professional liability insurance.
At the time of the interview, Lagina had not seen all of the case documents, but it appeared that the medical group’s insurance company would pay $250,000 of the $1.25 million award. This is the medical malpractice cap in Indiana for a case like this.
The remaining $1 million presumably would be paid by the Indiana Patient’s Compensation Fund.
“One of the things that will be interesting in the Indiana case as it progresses will be to see if the Indiana Patient’s Compensation Fund, which is the ultimate payer of excess damages, will try to argue that this is not malpractice,” Lagina says.
Lagina has no knowledge that it will, but generally he expects that if malpractice laws increasingly serve as the platform for rising privacy complaints, liability insurers will respond.
“I believe you’ll see in the future an interplay in the way courts are interpreting these kinds of allegations and what the insurance companies are doing in respect to insuring for those allegations,” he says.
“To the extent an insurer believes an act or a judgment is not covered under their policy, that is going to have some practical and pronounced effects on healthcare providers.”
Changes could come for individuals seeking damages, also. States considering malpractice reform have enacted or are considering multiple options: limiting damages, adding procedural requirements intended to discourage “frivolous” lawsuits, and shortening statutes of limitation.
A Share in the Damages
The HITECH modifications to HIPAA made no impact on an individual’s right of action. However, they do affect individuals in tangential ways.
HITECH grants state attorneys general the ability to bring civil action and seek damages on behalf of their residents for HIPAA violations.
A second provision provides individuals harmed by a wrongful disclosure under HIPAA a percentage of any recovery or settlement. The provision will be effective for any violation occurring after February 2009, but the Department of Health and Human Services has until 2012 to issue the regulation.
Once the regulation is in effect, Lagina foresees a spike in reported violations. The rule “has the potential to increase complaints, because individuals will have an actual monetary stake in the recovery,” he notes.
Editor’s note: An abbreviated version of this article appears in the March print issue.