[ Tuesday, February 12, 2008 ]
It's really an ERISA case rather than a HIPAA case, but in Streiff v. Oblate Service Corp.
, 2008 WL 294481 (E.D. Mo. 2008), a former employee sued his former employer and its insurance company for improperly accessing and disclosing personal health information. The employee had left the company, but contacted the HR director to see if the employee was still covered. The HR director wanted to know what the medical condition was, but the employee wouldn't say because he didn't feel it was relevant. Later, the employee's wife did tell the insurer what the medical condition was. The HR director manipulated an employee of the insurer to tell his what the medical condition was, and then used that information to spread rumors about the employee. Since the employer's health plan is a covered entity under HIPAA, this sure looks like a HIPAA violation.
The employee sued the employer and the insurer for three state law causes of action (breach of fiduciary duty, negligence, and breach of the state medical confidentiality law); they didn't claim a HIPAA breach, since there's no private cause of action there. The insurer tried to get the case dismissed by virtue of the ERISA preemption, but the trial court said they had to stay in the case and defend it: since the disclosure was not in the course of providing benefits but for improper purposes, the insurer was not protected by the ERISA preemption.
The key lesson here is that even though there's no private cause of action under HIPAA, in most instances a HIPAA violation that causes damages will be prosecutable under some other state-law cause of action. For insurers, if they act outside their proper boundaries, they will not even have the ERISA preemption to hide behind.
From the Employee Benefits Institute of America
(subscription needed). Hat tip: Jim Griffin
Jeff [12:13 PM]
Blogger: HIPAA Blog - Edit your Template