This article discusses HIPAA related lawsuits and why we may see an explosion of one particular category of HIPAA lawsuits in the next few years. In general, there are four categories of suits that can be thought of as "HIPAA related:" (1) an action by HHS to enforce sanctions for violations (i.e. in the rare case where a covered entity ("CE") or business associate ("BA") does not settle); (2) an action brought by a state attorney general on behalf of the citizens of a state (i.e. as provided for in HITECH Act Section 13410); (3) a private "class action" suit brought under some a state law theory (usually state breach notification law or negligence); and (4) an action brought by a single individual under state law theory of negligence.
The categories above are not exhaustive. They merely represent a useful way to think about various HIPAA lawsuits that we read about. This article focuses on category four and posits why we may see an explosion of these kinds of suits over the next several years.
In order to set the stage, we first must remind readers that individuals cannot bring an action directly under HIPAA. HIPAA does not allow individuals to bring suit for HIPAA violations, no matter how egregious. Under HIPAA, all that an individual patient may do is the following: (1) file a complaint with HHS (i.e. on its website); and (2) file a complaint with their state attorney general (we are aware of no formal process for doing the latter).
BUT, you may be thinking, didn't an individual patient just win a significant judgement against Walgreens for over $1M dollars. The answer to that question is yes. However, the distinction is that the patient did not bring suit "under HIPAA," rather, the patient sued under a state law theory of negligence. The HIPAA requirements were simply used as the "standard of care."
A DeFacto Right of Action under Negligence Law
Before we discuss the import of individual cases such as Walgreens, we need to cover some Negligence Law 101 concepts, otherwise you are likely to get "lost in the weeds" of the legal jargon. In order to prevail on a theory of negligence the plaintiff (i.e. the individual patient for our purposes) must prove, by a "preponderance of the evidence," the following four elements:
- Duty: That the CE or BA had a legal duty to protect the patient's PHI. HIPAA clearly establishes such a duty.
- Breach: That the CE or BA breached the "standard of care" that pertains to the specific Duty alleged. Here, as we shall discuss, a number of courts have held that the HIPAA requirements can be used as the "standard of care."
- Causation: That the Breach caused harm to the patient. Note: we are going to ignore the fact that "Causation" is two elements in one: (1) cause in fact; and (2) proximate cause.
- Damages: That that the Harm caused by the Breach resulted in actual damages to the patient. Note: the term "actual damages" under negligence law is a legal term of art. Actual damages are distinguished from "pain & suffering/emotional" damages. That said, it remains unclear whether "emotional damages" will be granted in a HIPAA case depending on the facts (e.g. the CE releases a patient's PHI indicating that the patient has HIV to the patient's employer).
Unless all four elements are proven, the CE or BA wins. To be sure, the simple fact that HIPAA can be used as the "standard of care" does not get a patient all the way home. For example, many courts have pushed back on the "actual damages" that result from a breach, although in Walgreens the patient obviously prevailed on all the elements.
The Standard of Care
What does it mean for HIPAA to be the "standard of care" in a negligence action? The "standard of care" is inextricably intertwined with the first two elements. The "standard of care" represents the "measure" of the Duty owed and also is the "standard" by which a Breach is established. In short, if in a negligence action regarding PHI, it is established that the alleged conduct of the CE/BA violated HIPAA, then that will almost certainly establish that Breach (element 2) has been satisfied (i.e. met). Keep in mind that Breach, as used in negligence law, has nothing (directly) to do with how breach is defined under the HITECH Act. So to put it another way, if you violate HIPAA vis-a-vis the conduct that the patient alleges, then two of the four negligence elements have been met. Further, because the HIPAA regulations clearly provide a well defined "standard of care," establishing the first two elements should be relatively straight forward for the plaintiff.
Holding that HIPAA is the "standard of care" under a negligence action is nothing new. In 2007 (i.e. prior to the HITECH Act) a NC Appeals Court held that HIPAA could be used as the "standard of care" in the kinds of negligence actions we are discussing here. Since then, many courts, including the CT Supreme Court have held analogously. What was "shocking" in the Walgreens case (in addition to the jury's $1.4M judgment) was the fact that the Court allowed the jury to decide whether Walgreens could be held accountable, under a theory of respondeat superior (let the master answer), for the intentional wrong doing of an employee. In other words, the $1.4M judgement was levied directly against Walgreens the party with the "deep pockets" (and presumably against the individual employee as well). Under HIPAA , to the best of our knowledge, the intentional wrong doing of an employee has NOT resulted in the master being held liable, until Walgreens.