Governance & Risk Management , HIPAA/HITECH , Privacy
Ruling Reaffirms Individuals Cannot File HIPAA Lawsuits
Federal Court Dismisses Legal Action by Patient in Privacy CaseA federal court recently dismissed a case filed by a patient alleging a laboratory violated HIPAA by failing to shield from public view her personal health information displayed on a computer intake station.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
The ruling once again reaffirmed a longstanding precedent that individuals cannot file a lawsuit, known as a "private cause of action," for alleged HIPAA violations.
The June 15 ruling by a U.S. district court judge in Washington, D.C., also noted that the plaintiff in the case, Hope Lee-Thomas - who is listed on court documents as representing herself in the lawsuit - also failed to respond to a motion by LabCorp, the laboratory she had sued, to dismiss the case.
"Time and time again, courts have said there is nothing in the statutory language [of the HIPAA rules] allowing private individuals to bring private action for HIPAA violations," says regulatory attorney Elliot Golding of the law firm Squire Patton Boggs.
Privacy attorney Kirk Nahra of the law firm Wiley Rein offers a similar assessment: "There has never been a HIPAA private cause of action, and that's been clear since the early days. The fight now is over whether plaintiffs can use HIPAA as a measuring stick for some other kind of tort claim - although even then they still typically need to prove damages."
For instance, in situations, such as a health data breaches, in which individuals' personal information is compromised, resulting in alleged identity theft or fraud, individuals can pursue lawsuits seeking relief for damages.
But generally in those situations, even if multiple HIPAA violations were involved - such as an entity failing to conduct a security risk analysis and mitigate identified risks - the focus of the private action lawsuit is typically on an organization's alleged negligence and other claims that led to individuals being harmed by the breach, legal experts note.
For alleged HIPAA violation cases, the Department of Health and Human Services Office for Civil Rights and state attorneys general are the only parties that can bring legal action, Golding notes.
Key Considerations
Privacy attorney Iliana Peters of the law firm Polsinelli points out, however, that individuals can file legal action under many state laws.
"It's extremely important to note that although HIPAA does not have a private right of action, many state laws require entities, both healthcare entities and others, to implement HIPAA-like protections for consumer data, and have stiff penalties," she says.
All 50 states now have data breach notification laws, she notes. "As such, I think there are more than sufficient remedies for individuals under state law, which seems the most appropriate place for private rights of action," she says.
"While individuals do not have a private right of action under HIPAA, they may be able to recover significant damages under state law."
—Iliana Peters, Polsinelli
"While individuals do not have a private right of action under HIPAA, they may be able to recover significant damages under state law. Colorado, for example, recently passed HB 1128, which provides for treble damages, and requires entities, including healthcare entities, to implement reasonable data security, to destroy data once it's no longer needed, and to notify in the case of breach, on a shorter timeline than what's required under HIPAA - 30 days."
Privacy attorney Adam Greene of the law firm David Wright Tremaine observes: "Organizations can take from this case that their primary exposure under HIPAA is from regulators. But they should not underestimate the potential costs that can come from claims that are based on other statutes or common law, as costs of defending litigation and a settlement or adverse decision can far exceed the typical settlements that regulators enter under HIPAA."
The biggest issue in many cases has been whether plaintiffs can prove harm following a privacy or security incident, Greene points out.
Case Details
Court documents indicate that Lee-Thomas was a patient at Providence Hospital in Washington, D.C., on June 15, 2017, where she received treatment from LabCorp.
Lee-Thomas was instructed by a LabCorp technician to submit her medical information using an on-premises computer intake station that was allegedly in close proximity to another intake station, the document says.
"When Ms. Lee-Thomas realized her health information was being disclosed within eyesight and earshot of another patient, she informed a LabCorp technician of the violation and photographed the two stations in question," the court document notes.
On July 3, 2017, Lee-Thomas sent a letter to Providence Hospital informing it of possible HIPAA privacy violations, and then filed a complaint with the HHS OCR and an additional complaint with the District of Columbia's Office of Human Rights citing LabCorp's alleged failure to make proper "public accommodations" by maintaining non-HIPAA compliant facilities, the document notes.
"Both of Ms. Lee-Thomas' administrative complaints were unsuccessful. HHS on Nov.15, 2017, informed Ms. Lee-Thomas the agency would not pursue her claim ... On Nov. 28, 2017, the DC OHR alerted Ms. Lee-Thomas that her complaint was similarly dismissed based on her failure to state a claim," the court document notes.
"LabCorp's alleged HIPAA violation is the only cause of action Ms. Lee-Thomas has included in her case. Given the statutory language and the clear consensus among courts that have addressed the question, no private action exists under HIPAA, and accordingly, Ms. Lee-Thomas has failed to state a claim upon which relief can be granted," the ruling says.
Lessons to Learn
Despite the dismissal of the Lee-Thomas HIPAA lawsuit against LabCorp., healthcare organizations should learn from this case, Peters notes.
"My advice to healthcare entities is always to ensure reasonable and appropriate data security compliance programs under HIPAA, the Federal Trade Commission, and state law requirements, and to ensure notification of a breach complies with state breach requirements, as well as with HIPAA requirements."
Golding also notes that even if statutes allowed individuals to take private legal action in HIPAA cases, he's not certain the allegations against LabCorp. about failing to shield medical information from being visible at intake stations in close proximity would even be considered a violation of HIPAA.
"The question is whether an entity is trying to do the right thing. There's no such thing as perfection," Golding says
LabCorp.'s attorney handling the case did not immediately respond to an Information Security Media Group request for comment on the case. Efforts by ISMG to contact Lee-Thomas were unsuccessful.