A federal court in New Mexico recently declined to dismiss tort claims asserted by a registered nurse against her employer, a government-run hospital, where she sought and obtained treatment for a brutal sexual assault. In denying the motion to dismiss, the court effectively rejected the federal government’s attempt to escape claims based on invasion of privacy for the disclosure of detailed information regarding the assault (G.R. v. United States).

However, the court withheld ruling on the government’s motion to dismiss plaintiff’s claim for “negligence per se” based on the violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Instead, the court certified for the New Mexico Supreme Court the question of whether the claim fails, as there is no private right of action afforded by HIPAA. This case serves as a valuable reminder for hospitals of the broad implication of liability for disclosing private information, including the potential impact of HIPAA violations beyond mere regulatory enforcement.

Factual Background: Alleged Disclosure Of Treatment Leads To Court Battle

The plaintiff (who filed the suit using her initials G.R.) sued her employer, Gallup Indian Medical Center, for the dissemination of information relating to treatment she received there after she fell victim to a physical and sexual assault. Her lawsuit claims the hospital disclosed private details of the assault and injuries to coworkers who were not her direct care providers. G.R. alleged the disclosure caused further trauma and humiliation, preventing her return to work, and ultimately causing her to leave her job and move away. In response, she brought tort claims for public disclosure of private facts, intentional infliction of emotional distress, negligence, and negligence per se. The claim for negligence per se – a theory whereby an act is considered automatically negligent because it violates an existing statutory or regulatory scheme – was premised on the hospital’s alleged HIPAA violation.

The hospital moved to dismiss G.R.’s claims for negligence, negligence per se, and public disclosure of private facts, but the court permitted the claims for negligence and public disclosure to proceed. It found no legitimate public interest was served in publicizing the nurse’s sexual assault, and therefore greenlighted her privacy claim. In sum, the court did not take lightly the government’s attempt to avoid liability for disclosure of private information. It declined to rule on the negligence per se claim, however, and specifically avoided answering the question of whether a HIPAA violation may legally set the standard of care for such a cause of action.

Tort Liability By Virtue Of A HIPAA Violation?

As G.R.’s case illustrates, there could be serious repercussions for an employer’s improper disclosure of sensitive and private information, especially if the information is health-related. Particularly significant are the questions raised concerning the potential HIPAA implications if a hospital discloses an employee’s health information.

Hospitals are quite familiar with the requirements HIPAA imposes on healthcare entities involved in the exchange of health information, as well as the potential civil and criminal penalties for the improper handling or disclosure of such information. However, hospitals may not know the broader implication of liability for HIPAA violations in civil lawsuits. Although it is well-established that HIPAA does not create a private right of action, a recent trend in litigation has forced many courts to tackle whether HIPAA may form the basis of a state law claim for negligence per se.

First, it’s important to understand the basic elements of a state negligence per se claim. Although the specific requirements vary from state to state, to succeed on such a claim, the plaintiff must generally establish that: (1) the defendant violated a statute which sets forth a standard of care; (2) the plaintiff is a member of the class of people the statute is designed to protect; and (3) the plaintiff suffered an injury which the statute is designed to prevent. Essentially, the negligence per se doctrine allows the trier of fact to automatically consider a defendant’s actions negligent by virtue of a statutory violation without employing the traditional “reasonable person” standard. Accordingly, the question of whether HIPAA regulations may determine a standard of care a hospital should follow when handling private information, thereby enabling a private litigant to assert a tort claim, is at the forefront of modern healthcare litigation.

Although the court in G.R.’s case passed the issue to the New Mexico Supreme Court to resolve, several other courts across the country have already tackled the issue on the merits. Unfortunately, these courts have consistently allowed claims of negligence per se to proceed on the basis of an alleged HIPAA violation. The reasoning behind this trend is largely consistent across the board; as healthcare providers are certainly familiar with HIPAA procedures when it comes to rendering patient care, this same standard of care is often used when adjudging negligence claims involving the disclosure of private information.

Although plaintiffs cannot bring a private right of action for an alleged HIPAA violation, courts have had no problem using the statute to simply establish the healthcare provider’s legal duty of care to the patient. To the chagrin of healthcare providers, the latter has generally been held to be permissible. Moreover, according to the decisions rendered thus far, the availability of a negligence per se claim based on a violation of HIPAA does not preclude, conflict, or complicate a healthcare provider’s compliance with HIPAA regulations, thereby eliminating a preemption argument.

The Main Takeaway

The G.R. v United States case illustrates the continued interplay between HIPAA and state law and, specifically, the potential for lawsuits when plaintiffs use statutory violations as a basis for private tort claims. The path has now been forged for the use of HIPAA violations in a way that was arguably not the intention of federal lawmakers when the statute was created.

As of today, the absence of a private right of action under HIPAA is not necessarily a bar to using evidence of a privacy breach under the statute to support a state tort claim. Accordingly, it is critical that healthcare providers ensure strict HIPAA compliance to avoid not only regulatory enforcement but also individual civil lawsuits, where the price for a mistake can be considerably higher.