The Health Insurance Portability and Accountability Act (HIPAA) imposes requirements on healthcare entities involved in the exchange of health information to protect the confidentiality of such information. It provides both civil and criminal penalties for individuals who improperly handle or disclose individually identifiable health information. HIPAA does not create a private right of action, under federal law. However, a recent decision by a district court in Missouri held that HIPAA may form a basis of a state law “negligence per se” claim.

In I.S. v. Washington University, E.D. Mo., No. 11-235, 6/14/11, the U.S. District Court for the Eastern District of Missouri, refused to dismiss plaintiff’s claim for negligence per se, despite its reliance on HIPAA, and remanded the case to state court. In this case, plaintiff alleged that defendant made an unauthorized release of certain medical records to plaintiff’s employer, which resulted in harm to the patient. Under Missouri law, the elements of a claim for “negligence per se” are: 1) a violation of a statute; 2) the injured plaintiff was a member of the class of persons intended to be protected by the statute; 3) the injury complained of was of the kind the statute was designed to protect; and 4) the violation of the statute was the proximate cause of injury.

In asserting negligence per se, the plaintiff relied solely on HIPAA to meet the required elements of the claim. Defendant moved to dismiss this claim in federal court on the basis that HIPAA does not create a private cause of action. However, plaintiff contended that its reference to HIPAA in its negligence per se action was merely to establish the legal duty of care rather than a means to find a private cause of action under HIPAA, and that the case should be remanded to state court as it is not a matter of federal subject matter jurisdiction. Ultimately, the court agreed and declined to dismiss the negligence per se claim, although it did remand the case to state court.

The Washington University case is not the first case to hold that HIPAA may be referenced as a basis for a state law claim. For example, in Acosta v. Byrum, 638 S.E. 2d. 246, 253 (N.C. Ct. App. 2006), the North Carolina Court of Appeals allowed a plaintiff to make an intentional infliction of emotional distress claim against a psychiatrist by relying on HIPAA. In that case, the psychiatrist allegedly allowed an office manager to have access to medical records that were used to cause harm to the patient. The plaintiff used HIPAA to establish the standard of care element required in a claim for negligence. The trial court dismissed the claim stating that HIPAA does not create a private cause of action. However, the appeals court reversed, not because HIPAA creates a private cause of action, but because the court found it appropriate to use HIPAA as establishing a standard of care in making claims that the defendant violated a standard of care.

The cases above illustrate the interplay between HIPAA and state law and open the doors to future lawsuits where plaintiffs use HIPAA as a basis for private claims. The risks of such private causes of action are only expected to increase, particularly with the expanded duties that will be laid out in the forthcoming final regulations to HIPAA, which are being modified by the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act. These final regulations will contain provisions that update HIPAA and extend yet-to-be-finalized health data privacy and security rules to healthcare entities, including funding for heightened HIPAA enforcement.

Due to the increasing reach and breadth of HIPAA, healthcare providers must ensure strict compliance in order to avoid not only regulatory enforcement but also individual lawsuits.