Share this article on:
Patients who believe HIPAA Rules have been violated can submit a compliant to the Department of Health and Human Services’ Office for Civil Rights, but they do not have the right to take legal action, at least not for the HIPAA violation. There is no individual private cause of action under HIPAA law.
Several patients have filed lawsuits over alleged HIPAA violations, although the cases have not proved successful. A recent case has confirmed once again that there is no private cause of action in HIPAA, and lawsuits filed solely on the basis of a HIPAA violation are extremely unlikely to succeed.
Ms. Hope Lee-Thomas filed the lawsuit for an alleged HIPAA violation that occurred at Providence Hospital in Washington D.C., where she received treatment from LabCorp. Ms. Lee-Thomas, who represented herself in the action, claims that while at the hospital on June 15, 2017, a LabCorp employee instructed her to enter her protected health information at a computer intake station.
Ms. Lee-Thomas told the LabCorp employee that the information was in full view of another person at a different computer intake station and took a photograph of the two computer intake stations.
On July 3, 2017, Ms. Lee-Thomas submitted a complaint with the hospital alleging a violation of HIPAA and filed a complaint with the HHS’ Office for Civil Rights. Later, a complaint was filed with the District of Columbia Office of Human Rights (OHR) claiming the hospital had failed to make appropriate accommodations for patients to preserve their privacy.
On November 15, 2017, the HHS informed Ms. Lee-Thomas that her claim would not be pursued and OHR similarly dismissed her complaint on November 28, 2017, in both cases on the grounds that she failed to state a claim. OHR suggested Ms. Lee-Thomas had the right to bring a private action before the D.C. Superior Court and she proceeded to do so.
LabCorp removed the case to the U.S. Court of Appeals for the District of Columbia Circuit, and filed a motion to dismiss, again for the failure to state a claim. Ms. Lee-Thomas failed to respond to the motion to dismiss.
In a June 15 ruling, District Court Judge Rudolph Contreras confirmed that HIPAA does permit financial penalties to be issued when patients’ privacy is violated in breach of HIPAA Rules, but civil and criminal penalties are pursued by the Department of Health and Human Services’ Office for Civil Rights and state attorneys general. In his ruling, Judge Contreras confirmed there is no private cause of action in HIPAA.
Even if there was a private cause of action, it would be unlikely that this case would have proved successful as no harm appears to have been caused as a result of the alleged HIPAA violation.
While lawsuits are likely to be dismissed when based on HIPAA violations alone, that does not mean legal action cannot be taken by patients whose privacy has been violated. There is no private cause of action in HIPAA, but the privacy of personal information is covered by state laws.
Laws have been passed in all 50 states that require notifications to be issued to consumers when their personal information has been exposed, and several states also require companies to implement ‘reasonable safeguards’ to ensure personal data of state residents are protected.
A HIPAA violation can be reported to OCR to investigate, and action may be taken against the covered entity in question by OCR, but if the sole basis of any legal action is a violation of HIPAA Rules, the case is unlikely to be successful.
Victims of privacy violations who wish to take legal action should look at potential violations of state laws rather than HIPAA violations.