[ Friday, June 01, 2007 ]
Private Causes of Action under HIPAA:
I think it's pretty clear at this point that there's no private cause of action for a patient to sue a doctor or hospital for a HIPAA violation. But as I've noted time and again, that doesn't mean that providers can willy-nilly breach HIPAA and only have to worry about what the relatively-inert OCR might do; the HIPAA privacy and security standards are effectively delineated standards-of-care, and a failure to meet that standard might not allow a lawsuit for the breach of HIPAA, but might be proof in a lawsuit for some other tort related to the failure to meet the standard of care. In fact, according to the National Law Journal
, hospitals and physicians have figured this out, and are concerned.
Two comments: this isn't anything I'm hearing from my clients and other contacts. I think everyone knows that HIPAA's out there, and they are aware that the downside from a breach will be much bigger if it's the patient that sues rather than OCR pursuing a complaint. So this isn't new news. And I also think it's pretty well accepted that even though the patient may have a private cause of action under a breach-of-duty claim, the patient would have to (i) prove the HIPAA violation to prove the failure to meet the standard of care, and (ii) show actual damages. The fact is that unless identity theft comes into play (in which case the healthcare nature of the lost data is pretty much irrelevant), most losses of medical data don't usually cause much damage to the patient.
Jeff [2:11 PM]
Blogger: HIPAA Blog - Edit your Template