Imagine a breach in the privacy of protected health information. The violation of an individual’s HIPAA rights may be clear, but the individual cannot sue under HIPAA. Courts have consistently held that HIPAA provides no private right of action.
In the recent case of Lee-Thomas v. Lab Corp., an individual brought suit, claiming that her HIPAA rights had been violated. When hospitalized, she had been asked to submit medical information on a computer. She alleged that the information she entered was visible to another patient at a nearby computer station. The court did not reach the question of whether the proximity of the computers resulted in a HIPAA violation. It dismissed the claim, observing that HIPAA limits enforcement actions to the U.S. Department of Health and Human Services and states’ attorneys general.
The absence of a private right of action under HIPAA significantly reduces the risks faced by covered entities and business associates, but it does not shield them against all litigation and liability. Lawsuits for the improper disclosure of personal medical information have been brought under different theories, including common law breaches of privacy and breaches of contract. Last year, Anthem Inc. settled a class action, arising from a large 2015 data breach, for $115 million. Currently, litigation is being pursued under non-HIPAA claims for disclosures that have resulted from mailing practices, including the use of window envelopes and incorrect addresses. Case law is emerging, and it is possible that courts will refer to HIPAA’s standards as setting the bar for the privacy and data security safeguards that should be implemented and followed, but individuals who sue for breaches of those safeguards will need to base their claims on something other than a HIPAA violation.
That does not mean that we should ignore HIPAA as a source of liability. As we previously reported, an administrative law judge recently upheld HIPAA penalties of more than $4 million that the Office of Civil Rights of the Department of Health and Human Services (OCR) determined should be assessed against a hospital.
The risks presented by significant HIPAA violations remain serious, although it appears that the pace of HIPAA enforcement by the OCR has slowed under the Trump administration. In addition to the ALJ decision, the OCR has announced only two settlements of HIPAA investigations in 2018, and the OCR has been very quiet about its audit program for HIPAA compliance.
That could, of course, change, and there has been one recent development that may affect HIPAA enforcement in the future. The OCR has announced that it will seek comments on a methodology for sharing a portion of its recoveries under HIPAA with those harmed by a breach. The development of this methodology is required under the Health Information Technology for Economic and Clinical Health (HITECH) Act. Whether the development of this methodology leads to more enforcement activity or higher settlements is likely to remain a subject of speculation for several years. Its effect on OCR enforcement actions may emerge only after regulations on the methodology are finalized and put into effect.