[ Friday, February 09, 2007 ]
Preemption, causes of action under HIPAA, and causes of action related thereto:
John Dascoli of West Virginia asks: "I am very interested in your blurbs on private lawsuits involving HIPPA violations, especially the North Carolina Court of Appeals case (Acosta)allowing a HIPPA violation to be evidence in a intentional infliction case. Do you think federal courts will allow similar state cases to go forward or will they ultimately rule that such cases are preempted?
This raises two issues, preemption and the right to sue someone for violating HIPAA. HIPAA does include a federal preemption, but it is a limited, one-way preemption. HIPAA does not prevent states (or potentially counties or cities) from imposing more-stringent
medical record privacy regimes; it merely posits a "floor" of privacy below which no other governmental entity can go in passing laws and regulations. This is noticably different from other federal preemptions (ERISA's preemption is the one I'm probably the most familiar with), which prevent states from imposing similar legislation, whether more or less stringent. HIPAA also has specific procedures for determining whether some state legislation is preempted, so the answers to preemption questions should be easily obtainable (OK, not really easily
, but at least clear answers are possible -- again, unlike ERISA preemption questions). Since state privacy laws aren't necessarily bumped, federal courts won't throw out state-specific or state-statute-specific jurisprudence (unless it specifically and only relates to a statute that has been preempted by HIPAA, which seems unlikely). Much of the state common-law tort jurisprudence that would be likely implicated in a HIPAA breach (intentional or negligent infliction of emotional distress, casting in a false light, libel, slander, breach of a confidential relationship, etc.) isn't exclusive to medical record issues anyway, nor is it specifically preempted by HIPAA, since it deals less with the scheme of protecting privacy than the imposition of a duty of privacy or conduct. So, there just won't be an overriding "preemption" of state court actions by federal courts due to HIPAA preemption doctrine.
The "private cause of action" question will remain out there; however, as HIPAA specifically states and a handful of one-way cases makes clear, there's just no private cause of action under HIPAA. If someone breaches HIPAA, it does not matter how badly you are damaged: only the federal government (through OCR and CMS, the investigative and enforcement agencies mentioned in the Enforcement Rule, and anyone else who has a specific grant of jurisdiction) can right that wrong. However, your damages don't necessarily end up un-redressable; you just have to find another statutory or common-law tort into the definition of which your case fits.
Now, if you go pursuing a statutory breach of a duty of confidentiality, or a common-law claim for intentional infliction of emotional distress, you'll have to meet the statutory or common-law elements for the case, part of which will involve proving that the actions of the tortfeasor breached a standard of conduct to which he/she was bound. (As an aside, I have to mention that I'm currently having nightmare flashbacks of Torts class as a first-year law student -- shudder.) Here's where HIPAA steps in to help: If common law requires a potential tortfeasor to abide by a standard of conduct such as a reasonable man standard, does not HIPAA provide some bright lines of what conduct is within the standard and what is outside it? It would be awfully hard for a defendant to argue that while his conduct violated the HIPAA privacy obligations, it didn't violate the reasonable man standard. I said this years ago: even though there's no private right of action, if you violate HIPAA, you've already lost the lawsuit, and it's all just a question of what the damages are. It won't be a HIPAA lawsuit, but HIPAA will be the de facto standard.
So, to answer the question, I think state court cases will be the most prevalent, and I think they'll proliferate where they're appropriate given the facts. The causes of action will be intentional infliction of emotional distress, breach of a confidential relationship and the like. Fortunately for defendants, it will be hard for plaintiffs to show real damages in most cases: what's the financial loss from embarrasment?
Jeff [10:47 AM]
Blogger: HIPAA Blog - Edit your Template