The Health Insurance Portability and Accountability Act (HIPAA)1 requires health care providers to protect the confidentiality of protected health information (PHI).2 If a health care provider violates the HIPAA rules, the Office for Civil Rights of the Department of Health and Human Services may investigate and impose civil and criminal penalties against the violating health care provider. HIPAA does not provide a private cause of action to individuals affected by a health care privacy breach. This means that an individual whose PHI has been used or disclosed by a health care provider in violation of HIPAA may not bring a civil claim against the health care provider under HIPAA.
Moreover, HIPAA specifically preempts any contrary provision of state law, meaning that a state law claim cannot be brought where a health care provider cannot comply with both the state and federal laws, or where the state law is an impediment to HIPAA’s objectives. Recent decisions by state courts, however, have held that HIPAA is the standard industry practice for health care providers and may form the basis for state law negligence claims involving disclosure of patient medical records.
Connecticut Supreme Court Decision
Last month, the Connecticut Supreme Court held that breaches of patient PHI can expose physicians and health care providers to state law claims of negligence brought by individuals, and that such claims are not preempted by HIPAA. In Byrne v. Avery Center for Obstetrics and Gynecology,3 a defendant health care provider responded to a subpoena for the plaintiff’s medical records in a paternity action without notifying the plaintiff or objecting to the subpoena, as required by HIPAA. The court found that the plaintiff’s claims were not preempted by HIPAA, noting that if Connecticut’s common law recognizes a negligence cause of action arising from a health care provider’s breach of patient privacy in the context of complying with a subpoena, then such an action is not preempted by HIPAA, and that HIPAA regulations may well inform the applicable standard of care in certain circumstances. Accordingly, the court remanded the case to the trial court to decide on the plaintiff’s claims of negligent infliction of emotional distress and negligence for failing to use proper and reasonable care in protecting the plaintiff’s medical file. The more courts that rule like the Connecticut court, the closer we come to having a de facto right of action under HIPAA, which could subject health care providers to more lawsuits for breaching patient confidentiality.
HIPAA as the Standard of Care
At least 10 states, including Connecticut, have now recognized that courts may look to HIPAA when considering the relevant standard of care for state privacy violation claims brought by individuals.4 Using HIPAA rules as the standard of care in negligence cases is beginning to look more like the equivalent of a private right of action under HIPAA, which HIPAA does not allow. This essentially means that a violation of the HIPAA rules may be used to establish that a health care provider has breached the duty of care owed to a patient under state law negligence claims relating to the improper disclosure of patient PHI. As a result, health care providers should note that a HIPAA violation may result in a variety of state law claims.
Ohio State Law Claims Under HIPAA
Ohio has not yet fully joined the chorus of states finding that state law claims may be brought by individuals on the basis of HIPAA violations, or that state courts may look to HIPAA to establish the standard of care for privacy violations. However, shortly after HIPAA’s enactment, the Ohio Supreme Court recognized an independent state tort for the unauthorized disclosure of nonpublic medical information in Biddle v. Warren General Hospital.5 The court’s decision did not address HIPAA’s applicability, likely due to the fact the claims were brought before HIPAA’s enactment.
More recently, in OhioHealth Corporation v. Ryan,6 the Ohio Tenth District Court of Appeals held that Ohio does not recognize a private cause of action under HIPAA, reasoning that because HIPAA was applicable to the circumstances of that case, HIPAA remained the governing authority.7
As evidenced by the Ohio cases noted above, there is no definitive ruling as to whether HIPAA will preempt Ohio state law claims, particularly in light of the private cause of action created by the Ohio Supreme Court inBiddle that allows individuals to bring claims against health care providers for the unauthorized disclosure of medical information.
There are a growing number of state courts finding physicians and health care providers liable to individuals for improper uses or disclosures of PHI, despite HIPAA preemption. While Ohio has not yet solidified its position on the issue, Ohio courts may certainly find the Connecticut Supreme Court’s decision persuasive, as well as the reasoning behind other state courts applying HIPAA as the standard of care in state law negligence claims relating to the improper use and disclosure of patient PHI. These decisions make health care providers ripe targets for state law privacy and negligence claims based on HIPAA violations, creating substantial economic exposure for health care providers.
Now more than ever, health care providers should focus on establishing and enforcing HIPAA compliance and training programs within their organizations. In addition, they should consult with advisers to ensure they are adequately insured against the potential liabilities associated with state law claims concerning improper uses or disclosures of PHI.