Acosta v. Byrum
The Health Insurance Portability and Accountability Act (HIPAA) authorized development of privacy regulations that most healthcare providers have had in place since the effective date of April 2003. The technicalities of the regulations and the practical difficulties in monitoring the use and disclosure of patients' protected healthcare information are daunting, although Congress provided for no private right of action under the statute.
Instead, violations of HIPAA's privacy regulations have been subject only to an enforcement action by the Office of Civil Rights, the federal agency charged with administration of the privacy system. The basic administrative sanction is $100 per failure to comply with a privacy rule requirement.
A recent decision by an appellate court in North Carolina, however, demonstrates that HIPAA may form the basis of a lawsuit by a patient, notwithstanding the absence of a private right of action created by Congress. In the case, Acosta v. Byrum, 638 S.E.2d 246 (Ct. App. December 19, 2006), a patient sued her doctor on the theory of negligent infliction of emotional distress. She alleged that the doctor was negligent and in violation of HIPAA in allowing his office manager to use the physician's medical record access number, which resulted in the office manager retrieving the patient's confidential psychiatric and other medical records and providing them to third parties without the patient's consent.
The trial court dismissed the patient's claim in part on the ground that HIPAA did not provide for a private right of action. The appellate court reversed, however, stating that the patient had not asserted her claim under HIPAA, but had merely used HIPAA to define the standard of care that the physician should have followed to protect her medical information. In other words, the claim is based on the theory that a violation of HIPAA's privacy regulations is negligence per se, which would make unnecessary a jury's determination of the reasonableness of the doctor's conduct.
There are some additional factors present in the case that may ultimately weaken its precedential value. The patient had also been an employee of the doctor's office and the office manager is alleged to have had a "severe personal animus" against the patient, which was known to the doctor prior to his permitting the office manager to access the medical records. The decision was also rendered at an early stage of the proceedings on the doctor's motion to dismiss the complaint, which necessarily assumes that the facts alleged in the complaint are true.
Nevertheless, the use of HIPAA privacy violations as a standard of care for negligence under common law theories of liability is likely to be adopted by other patients whose healthcare information is disclosed, inadvertently or otherwise. This additional litigation risk suggests that strict adherence to HIPAA regulations is important not only to avoid regulatory enforcement, which has seemed an unlikely possibility in all but the most egregious cases, but also to avoid individual lawsuits, which pose a more prevalent and expensive risk.