[ Friday, September 24, 2004 ]
No private cause of action under HIPAA:
The original HIPAA privacy regulations made it pretty clear that HIPAA did not intend to establish a private cause of action for a HIPAA violation; in other words, an individual can't sue a provider or payor for violating his or her privacy rights under HIPAA. An individual can sue under a common law or statutory right to privacy, breach of confidentiality, or similar legal theory, and can allege that HIPAA is the benchmark for determining whether the individual's rights were violated, but can't specifically sue for a HIPAA violation. The only enforcement for a HIPAA violation can come from the US government, particularly the Department of Justice (which we have recently seen will go after non-covered entities as well as covered entities).
There was a recent case in Colorado where a newspaper improperly obtained PHI from a source at a hospital and published it. The hospital sued the newspaper to prevent the publication of the PHI, but lost. The hospital then sued the newspaper for violating HIPAA, but according to this article
, the court determined that there is no private right of action under HIPAA, and dismissed that part of the hospital's claim. The court determined that the hospital could pursue non-HIPAA state law claims relating to whether the newspaper trespassed to get the information or otherwise violated the hospital's property rights in its medical records. But no HIPAA claims allowed.
Jeff [9:00 AM]
Blogger: HIPAA Blog - Edit your Template