While HIPAA does not in and of itself create a private cause of action, a growing body of cases in both federal and state courts outside of Texas suggests that a HIPAA violation causing clear harm to a plaintiff may support a lawsuit by providing grounds for some other private claim.  Plaintiffs who have shown intentional breaches or especially private disclosures have had recent notable success in persuading courts to treat their health care providers’ HIPAA-based duties as an applicable standard of care to support their claims.

At least two such claims were recognized in November 2014 alone.   In Byrne v. Avery Center for Obstetrics and Gynecology, the Connecticut Supreme Court held that a plaintiff’s negligence claims were not preempted by HIPAA and that HIPAA may inform the standard of care for a common-law negligence claim.  There, the plaintiff’s claim was based on her obstetrician’s having produced her medical records to her ex-boyfriend in response to a subpoena.  Despite the plaintiff’s having expressly instructed the obstetrician not to share her records, the obstetrician responded to the subpoena without notifying the plaintiff, filing a motion to quash, or objecting.   The plaintiff sued the obstetrician for breach of contract, based on the violation of its privacy policy; negligence in failing to use proper care in protecting her medical file, including violations of its own regulations implementing HIPAA; negligent misrepresentation; and negligent infliction of emotional distress.  On appeal, the court overturned the lower court’s preemption holding and found that HIPAA could inform the applicable standard of care.

An Indiana court of appeals also recognized a claim factually predicated on a HIPAA violation in Hinchy v. Walgreen Co.  There, the court did not expressly discuss whether HIPAA violations can give rise to other private claims; instead, the court admonished the defendant’s pharmacist employee for breaching “one of her most sacred duties” by purposefully divulging the plaintiff’s birth control prescription records to her husband, the plaintiff’s ex-boyfriend.  The court affirmed a $1.8 million award to the plaintiff, whose claims against Walgreens included negligent retention and supervision as well as Indiana statutory claims of negligence by professional malpractice and public disclosure of private facts.

These cases differ significantly from the more typical data security breach.  They illustrate, however, that courts may be increasingly willing to use HIPAA violations to support common law or state statutory claims, at least where the violation and harm to a plaintiff are clear.

January 2015