The Health Insurance Portability and Accountability Act of 1996 (HIPAA) does not provide for a private right of action allowing affected individuals to sue to enforce its provisions. However, an emergence of case law in recent years, as discussed here and here, suggests that HIPAA may define the duty of care for providers. Decisions from a number of state courts have created a path for patients to use alleged HIPAA violations as the basis for both common-law tort claims and claims under state privacy laws by recognizing HIPAA as the standard of care for patient privacy. A recent decision from a New Jersey appeals court further spotlights the ability of a patient to sue a provider based on a HIPAA violation.
The case, John Smith v. Arvind R. Datla, et al., in the Superior Court of New Jersey Appellate Division (Docket No. A-1339-16T3), involves a patient who alleged that his doctor had unlawfully disclosed his HIV status to an unidentified third party who was in the room during a bedside consultation. The plaintiff asserted several claims against the doctor and the medical practice, including invasion of privacy based on the inappropriate disclosure of confidential medical information without his consent, in violation of HIPAA.
The defendants moved to dismiss the claim on the grounds that HIPAA does not provide a private right of action. Despite finding that there was no private right of action under HIPAA, the judge ruled that the plaintiff had adequately pleaded and could proceed with an amended complaint under a common-law invasion of privacy claim.
When implementing HIPAA compliance programs, providers are generally focused on avoiding government enforcement actions and large penalties which do not usually stem from small breaches. This appellate decision serves as a reminder that even a small and inadvertent HIPAA violation can have significant consequences for a provider when it results in reputational or financial harm or emotional distress.