Knowledgeable observers have long expected the privacy and security requirements imposed under the Health Insurance Portability and Accountability Act (HIPAA) to influence negligence litigation arising from improper disclosure of patient information. A recent decision of the North Carolina Court of Appeals provides a dramatic example of appellate court adoption of HIPAA as the standard of care medical practitioners must meet in order to avoid a claim of negligence in failing to prevent the unauthorized disclosure of patient treatment information. Acosta v. Faber, 638 S.E.2d 246 (N.C. App., Dec. 19, 2006).
Were the law of this case to become widely accepted, it could open the courthouse door to numerous vague claims brought under color of HIPAA, expand the prospects for litigation in the absence of actual harm or actual damages, and limit the effectiveness of tort reforms designed to reduce malpractice litigation.
This action was not the product of disputes between a giant health care organization and the federal government but, instead, at the opposite end of the spectrum, arose from a child custody dispute between a formerly married couple in Hertford County, North Carolina. Heather Acosta (formerly Heather Smith), the plaintiff and former wife of Chris Smith, commenced the present civil action in May 2005 against four individuals. Those defendants were alleged to have improperly accessed her electronically stored confidential psychiatric and other medical or health care records and published or otherwise disseminated information contained in the records to third parties without authorization of consent, causing plaintiff "severe emotional distress, humiliation and embarrassment."
The defendants were associated with two medical practices. Defendant Shirley Smith (the ex-husband's mother) was employed by defendant Beverly Edwards, M.D., a pediatrician in Ahoskie, North Carolina. Smith and Edwards were alleged to have acted in concert to intentionally access plaintiff's confidential health care records for the purpose of providing them to Shirley Smith. The other two defendants were David R. Faber, II, M.D., a psychiatrist and neurologist who owned Psychiatric Associates of Eastern Carolina, a psychiatric practice located in Ahoskie, North Carolina, and Robin Byrum, the office manager of Psychiatric Associates. The plaintiff had been an employee of Psychiatric Associates and was also a patient, both before and after leaving that employment.
The complaint alleged "intentional invasion of privacy" against Robin Byrum based on her having "obtained plaintiff's confidential lab results, transcribed reports, identification information, radiology reports and individual patient reports knowingly using an access number that was not assigned to her and which she was not authorized to use." These acts were alleged to be "malicious" and "done for this defendant's personal gain and advantage" and with the intent "to use Plaintiff's confidential information to embarrass, intimidate, and humiliate the Plaintiff." The complaint further alleged that "Robin Byrum's employment with Psychiatric Associates has been terminated, and she is now employed by the law firm representing Plaintiff's husband" in the child custody case. Substantially the same facts were alleged to support a claim for intentional infliction of emotional distress against Byrum.
The complaint contended that Dr. Faber "negligently allowed Defendant, Robin Byrum, to use his medical records access code to obtain Plaintiff's confidential healthcare records and information in violation of the rules and regulations established by University Health Systems and Roanoke Chowan Hospital and the Health Insurance Portability and Accountability Act of 1996 (HIPAA)." The complaint further alleged that "Dr. Faber had an express and implied duty of reasonable care not to allow Robin Byrum or others without medical or other proper authorization to access the Plaintiff's confidential healthcare records, and in so allowing, he breached this duty of reasonable care." The complaint also alleged that "Dr. Faber was a 'covered entity' as defined by" HIPAA.
Plaintiff sought punitive damages against Shirley Smith, Dr. Edwards, and Robin Byrum on the ground that their actions were "done intentionally, willfully, maliciously and with reckless indifference to the rights of the Plaintiff," but sought only compensatory damages from Dr. Faber.
Motion to Dismiss
Dr. Faber responded to the complaint with a motion to dismiss under North Carolina Rules of Civil Procedure 12(b)(2)[lack of personal jurisdiction] and 12(b)(6) [failure to state a claim recognized under law]. With respect to failure to state a claim, he asserted that HIPAA "does not grant an individual a private cause of action," and that plaintiff failed to secure the certificate by a physician that North Carolina law requires as a prerequisite to bringing a malpractice action.
On August 5, 2005, the motion was heard before Superior Court Judge W. Russell Duke, Jr., without "live testimony or other evidence," and without legal memoranda, based on "argument of counsel." On September 8, 2005, Judge Duke signed an order stating that "after reviewing the complaint, the Court finds that the Motion should be allowed," and dismissing the complaint as to Dr. Faber "with prejudice." The Court, in accordance with local practice, was not obliged to state findings of fact or conclusions of law unless expressly requested to do so, which neither party did.
Plaintiff's Arguments on Appeal
Plaintiff appealed the dismissal order in favor of Dr. Faber, even though her claims against the other three defendants were still pending, relying on a North Carolina doctrine allowing interlocutory appeals when an order has prejudiced "a substantial right." Because Judge Duke's order had said nothing to indicate the basis for the dismissal, plaintiff's brief on appeal sought to negate each of the grounds suggested by Dr. Faber's motion to dismiss. Thus, it argued that personal jurisdiction over Dr. Faber was present, because, although he was an Alabama resident, he conducted the subject medical practice in North Carolina, and the claim arose from that North Carolina activity. There was no need to obtain a certificate because the case against Dr. Faber did not allege that he committed medical malpractice (but rather another type of negligence).
Several pages of plaintiff-appellant's brief developed the argument that the complaint sufficiently pleaded a claim for "negligent infliction of emotional distress." Under North Carolina law, this requires a plaintiff to establish that (1) the defendant negligently engaged in conduct, (2) it was reasonably foreseeable that such conduct would cause the plaintiff severe emotional distress, and (3) the conduct did in fact cause the plaintiff severe emotional distress. In supporting the presence of factual allegations establishing those three elements, plaintiff argued that the complaint sufficiently "alleges negligence, and a breach of Faber's express and implied duty of reasonable care not to allow Robin Byrum or others without medical or other proper authorization to access the Plaintiff's confidential healthcare records." Nowhere in this discussion did plaintiff mention HIPAA. Only later in the brief, while denying that the complaint purports to state a claim under HIPAA, did plaintiff state that the complaint "referenced HIPAA in establishing Defendant Faber's duty of care owed to Plaintiff." Specifically, HIPAA "provided a basis for establishing Defendant Faber's knowledge of and existence of his duty of reasonable care to prevent Defendant Byrum from improperly accessing Plaintiff's healthcare records using Faber's medical access code."
Dr. Faber's Arguments
Dr. Faber's appellee brief devoted only perfunctory attention to most of the grounds addressed by the plaintiff and focused heavily on the inadequacy of the negligent infliction of emotional distress allegations. First, he contended that to establish Faber's negligence through entrusting his access code to his office manager, the "plaintiff must allege that the defendant knew or should have known that the person to whom it was entrusted was likely to cause injury to others in its use." Here, Faber contended, the complaint contained no allegation that "Faber knew or should have known that Defendant Byrum was improperly accessing Plaintiff's records, or that he had any indication that she was likely to do so."
Second, Dr. Faber argued that the complaint did not allege facts establishing that Dr. Faber was "the proximate cause of Plaintiff's severe emotional distress." Such cause, he contended, requires both "cause in fact, and a policy decision that liability for an act should extend to include the result." He argued that even if he had not given it to her, "Byrum may have secretly stolen or gained access" to the code, with the same result, and, the "former husband would have received the same psychiatric medical records by serving discovery on Plaintiff," so "the same result would have occurred even without his negligence." Further, Dr. Faber contended, any possible finding of cause is "insulated by the intervening intentional acts" of defendant Byrum.
Third, Faber argued that, while the complaint alleges "severe emotional distress," that is merely a "legal conclusion," and the complaint fails to allege any specific facts such as "neurosis, psychosis, chronic depression, phobia, or any other type of severe and disabling emotional or mental condition, which may be generally recognized and diagnosed by professionals trained to do so."
None of these three arguments contained any mention of HIPAA, much less of specific HIPAA requirements.
Court of Appeals Decision
The matter came before Judges Robert C. "Bob" Hunter, Robin E. Hudson, and Ann M. Calabria on October 11, 2006. Pursuant to the panel's preference, no oral argument was held. On December 19, 2006, the unanimous Court of Appeals panel reversed the trial court's dismissal. (Prior to the decision, Judge Hudson was elected to the North Carolina Supreme Court, where she was sworn-in early during 2007.)
The Court's opinion, written by Judge Hunter, postured the "dispositive question" as "whether Plaintiff sufficiently stated a claim for negligent infliction of emotional distress for which relief can be granted," and much of its discussion addressed that issue. In making its assessment, the Court of Appeals applied a pleading standard under which a complaint must contain a "short and plain statement of the claim sufficiently particular to give the court and the parties notice of the transactions, occurrences, or series of transactions or occurrences, intended to be proved showing that the pleader is entitled to relief."
The Court analyzed the sufficiency of the negligent infliction of emotional distress claim in terms of the three elements advocated by plaintiff, quoted above, and not disputed by Dr. Faber. The Court construed the complaint to allege that Dr. Faber "negligently engaged in conduct" "by permitting Byrum to use his access code in violation of the rules and regulations of the University Health Systems, Roanoke Chowan Hospital, and HIPAA." The only related issue analyzed by Judge Hunter's opinion was whether it is necessary for the plaintiff to identify in her complaint the "exact rule" said to "establish Dr. Faber's duty to maintain privacy in her confidential medical records." The complaint identified none. This issue was not discussed in either of the briefs, so it likely emerged during deliberations among the appellate judges.
The Court concluded that a plaintiff "is not required in her complaint to cite the exact rule or regulation;" rather, she "only must provide Dr. Faber notice of how she plans to establish the duty that was negligently breached." Judge Hunter reasoned that to require the plaintiff "to describe particular provisions of the rules and regulations would defeat the purpose of simple notice pleadings." Because Dr. Faber "has been placed on notice that the plaintiff will use the rules and regulations of the University Health Systems, Roanoke Chowan Hospital, and HIPAA to establish the standard of care," plaintiff "has sufficiently pled the standard of care."
Notice pleading of the type authorized by North Carolina law is common in states that model their pleading rules after the Federal Rules of Civil Procedure. Thus, the ruling here, that only the most general reference to "HIPAA" is sufficient, could open the door to numerous privacy or security-breach complaints that reflect little, if any, understanding of the covered entity's actual HIPAA-rule obligations. Presumably, specific requirements will be addressed as such lawsuits move toward trial, but the ruling empowers plaintiffs with settlement leverage by preventing defendants from knocking out baseless claims at the beginning of a case.
The Court of Appeals next turned to whether the complaint "sufficiently alleged facts" to state a claim that Dr. Faber's negligence "proximately caused" plaintiff's severe emotional distress. Here the Court felt constrained to follow North Carolina Supreme Court precedent holding that a bare complaint allegation that defendant's negligence "actually and proximately caused severe emotional distress" was adequate. The Court determined the complaint allegations that "Dr. Faber knew of the severe personal animus Byrum had for Plaintiff, Dr. Faber allowed Byrum to use his medical access code, Byrum used the code to access Plaintiff's confidential medical records, and, consequently, Plaintiff suffered severe emotional distress, humiliation, and mental anguish" were "sufficient." It remains unclear, however, in light of the quoted North Carolina Supreme Court language, whether even those facts would have been necessary. The Court of Appeals completely ignored Dr. Faber's arguments that Byrum could have obtained the same information without his negligence or the husband could have obtained it through discovery. Implicitly, the Court rejected such "it would have happened anyway" arguments.
Severe Emotional Distress
Finally, the Court of Appeals considered whether plaintiff "alleged sufficient facts to support a claim of severe emotional distress." Here again the Court of Appeals felt itself bound by an earlier North Carolina Supreme Court decisions finding to be adequate allegations that a defendant doctor's negligence in failing to report to potential parents a heightened risk of sickle-cell disease "caused them 'extreme mental and emotional distress,' specifically referring to Plaintiff-wife's fears regarding her son's health and her resultant sleeplessness." In that case, the Supreme Court had ruled that the allegation was sufficient because it gave the "Defendant notice of the nature and basis of Plaintiffs' claim so as to enable him to answer and prepare for trial." Here, the Court of Appeals determined that bare allegations of "severe emotional distress, humiliation, and mental anguish," when "combined with her other factual claims," met that test.
The development of widespread privacy-breach litigation has been inhibited by plaintiffs' inability to demonstrate that any substantial harm or damages resulted from the alleged breach. Here, Dr. Faber's brief had argued that the emotional distress must be something serious such as "psychosis," "chronic depression" or some other "disabling emotional or mental condition, which may be generally recognized and diagnosed by professionals trained to do so." Judge Hunter's opinion made no mention of this argument but implicitly rejected it by sustaining the sufficiency of the complaint. In that way, the decision makes it comparatively easy for a plaintiff to maintain litigation based merely on subjective distress and, correspondingly, makes it difficult for defendants to knock out at the pleading stage suits where actual harm is lacking.
Other Rulings for Plaintiff
The Court of Appeals also agreed with each of the other points plaintiff had raised on appeal. The interlocutory appeal was proper because "avoiding two trials on the same factual issues affects a substantial right" and Dr. Faber did "not dispute that this matter affects a substantial right." It concluded that "personal jurisdiction over Dr. Faber was proper," because, as "owner of a business in North Carolina, Dr. Faber purposefully availed himself within the state and invoked the protection of the laws." The Court also agreed that the complaint made no attempt to plead a cause of action created by HIPAA itself, so "dismissal on the grounds that HIPAA does not grant an individual a private cause of action was improper."
Finally, and perhaps significantly, the Court of Appeals concluded that the plaintiff need not obtain, as a pre-condition to bringing suit, a "certification from an expert willing to testify that the doctor did not comply with the applicable standard of care," as North Carolina requires for medical malpractice actions. In doing so, Judge Hunter relied on earlier North Carolina appellate decisions holding that only claims that "arise out of the provision of clinical patient care constitute medical malpractice actions" requiring such a certification and that "those relating to the negligent management or administration" of a health care facility do not. The opinion found expressly that "providing an access code to access certain medical files qualifies as an administrative act, not one involving direct patient care." Should such distinctions become accepted generally, it could mean that reform rules designed to reduce the frequency of malpractice actions will prove ineffective in stemming actions based on non-compliance with information privacy or security rules.
Absent later review by the North Carolina Supreme Court, this decision will stand as a reported precedent holding that vague allusions to HIPAA are sufficient to meet state-law negligence pleading standards in patient-information disclosure cases. Additionally, it supports the notion that actionable emotional distress flowing from treatment information disclosures need not produce any serious condition, but, instead, may consist merely of the plaintiff's self-perceived distress. Finally, it provides one example of where reforms designed to limit medical malpractice suits have failed to restrict suits based on HIPAA-related patient information disclosures. Time will tell whether such principles are adopted by other courts, but the seeds have been sown.