Legal consequences abound at every corner in healthcare. Each month this blog discusses examples of what those consequences can be.
Unfortunately, we are all too familiar with violations of the Confidentiality and Security Rules promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). See https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html for a summary of the HIPAA Security Rule. These consequences can include substantial financial penalties, such as the $4.3 million fine imposed on June 1, 2018 by an administrative law judge on the University of Texas MD Anderson Cancer Center following the theft of an unencrypted laptop and the loss of two unencrypted thumb drives, and what the judge characterized as the center’s “half-hearted and incomplete efforts at encryption” thereafter. See https://www.hhs.gov/about/news/2018/06/18/judge-rules-in-favor-of-ocr-and-requires-texas-cancer-center-to-pay-4.3-million-in-penalties-for-hipaa-violations.html for more information on this case.
This fine demonstrates what an administrative agency can do to redress a HIPAA violation. However, might an individual adversely affected by such a violation assert a claim on her own behalf and seek monetary damages under HIPAA against the offending healthcare provider? The short answer appears to be “no.” The latest example of this conclusion is Lee-Thomas v. Lab Corp., Civil Action No. 18-591 (RC) (D.D.C. June 15, 2018).
The plaintiff in Lee-Thomas was a patient in a hospital in the District of Columbia when she received treatment from the defendant, Lab Corporation of America (Lab Corp). She alleged in the complaint that her protected health information was visible to another patient when she used a Lab Corp computer intake station to submit her medical information. After she failed to secure redress through administrative complaints, the plaintiff filed suit against Lab Corp for an alleged HIPAA violation. The defendant moved to dismiss, arguing that an individual such as the plaintiff could not sue for a HIPAA violation. The court agreed:
“LabCorp asserts that dismissal of Ms. Lee-Thomas’s claim is appropriate because HIPAA provides for no private cause of action. *** HIPAA regulates the confidentiality of medical information by imposing privacy requirements on the Department of Health and Human Services, healthcare providers, and insurers. *** While the statute provides both civil and criminal penalties for improperly handled or disclosed information, the language of the statute specifically limits enforcement action to HHS and individual states’ attorneys general. *** Furthermore, courts in this and other circuits that have considered the question have reached a consensus that the statutory language of HIPAA grants no private right of action. ***.”
However, in dismissing the complaint, the court did note that the plaintiff had been informed by the Office for Civil Rights that she might pursue a private action under the District of Columbia Human Rights Act, which she had not asserted. This is consistent with decisions of various State courts, which have allowed individuals to assert claims related to the privacy of protected health information.
What does this mean for health care providers? HIPAA violations can be penalized in proceedings instituted by the Department of Health and Human Services as well as the attorneys general of the States. Violations of HIPAA cannot be prosecuted by individuals but, depending on the jurisdiction, individuals can seek monetary awards based on loss of privacy. See, for example, my February Legal-e-Speaking blog post, “You’ve Been Served: What Next?” Whatever the basis for the claim, healthcare providers should protect confidential patient information!
**Editor’s Note: The views expressed in this column are those of the author alone and should not be interpreted otherwise or as legal advice.