[ Wednesday, August 10, 2005 ]
No Private Right of Action under HIPAA:
I have stated it time and again, and it's clearly well supported by the regulations themselves, individual plaintiffs have no ability to sue covered entities for HIPAA violations by the covered entities. However, even though a plaintiff can't sue for a HIPAA violation, they can use a violation of HIPAA to show fault or causation under some other type of cause of action. In most cases where the HIPAA breach involves a covered entity improperly disclosing PHI to the detriment of an individual, the other cause of action would be a breach of a fiduciary duty or duty of confidentiality (either common law or statutory), libel, slander, casting in a false light, improper use of an individual's image or likeness, or some other type of claim where the underlying cause of action is a breach of a duty by the covered entity or a tort claim against the covered entity. In other words, the covered entity had a duty to the individual to maintain the confidentiality of the individual's private information, and the covered entity failed to exercise that duty; proof of the covered entity's failure is that the covered entity didn't even comply with HIPAA, which is at least the minimum level of effort to comply with that duty. However, there are other types of causes of action, and other legal claims, where the existence of a HIPAA breach could be evidence of fault or causation. To quote from a recent email I received (hat tip Marc Goldstone):"As anticipated, two federal district courts have determined that, while the HIPAA medical privacy provisions do not create a separate claim for relief, they can be enforced in wrongful termination and discrimination cases. Alleged HIPAA privacy violations will be used as evidence of discrimination. In both cases, the discharged employee alleged that the employer improperly utilized protected health information to make an employment related decision. Both employees alleged that the information was improperly obtained from a covered entity. And in both instances, the Courts said that HIPAA violations did not create separate causes of action nor do they support federal jurisdiction for employment claims. These cases demonstrate why the employer must be committed to sustaining a complete HIPAA medical privacy program because while the reasons for discharge in both cases may not be sufficient to support a claim, the HIPAA violations makes the charges appear more serious."
The cases are:Rigaud v. Garofalo
, E.D. Pennsylvania, 5/2/2005
Valentin Munoz v. Island Finance Corp., D. Puerto Rico, 3/28/2005
Jeff [11:48 AM]
Blogger: HIPAA Blog - Edit your Template