Sure Sounds Like A Private Right Of Action
The federal HIPAA statute has frightened and confused almost everyone who has had to deal with it. Most people have a vague understanding that it ensures the privacy of medical records, but after that the details get fuzzy. A lot of people are surprised, for example, to discover that the “P” in HIPAA doesn’t even stand for “privacy.” It stands for “Portability” — as in the “Health Insurance Portability and Accountability Act” — which is what “HIPAA” actually stands for. The statute itself has no specific privacy terms. Those are all part of regulations passed by the Department of Health and Human Services. Confused yet? Now, a recent case from Missouri should add to the confusion. One aspect that HIPAA does not include is a “private right of action.” That means that a health care provider can get in administrative trouble for violating the statute, but not be sued. Except, apparently in Missouri. A patient at the Washington University Medical Center was being treated for colon cancer. She authorized the University to supply to her employer the dates of her treatment. The University however supplied information concerning the plaintiff’s HIV status, mental health issues and insomnia treatment. She filed a state court action in Missouri. Included in her complaint was a count of “negligence per se” based on the University’s violation of HIPAA. Negligence per se is concept that allows a plaintiff to establish another party’s negligence as a matter of law based on the defendant’s violation of a statute or ordinance. So for example, if a person gets hit by a car that ran a red light, the driver is negligent per se. The University removed the case to federal court and argued that, because Congress did not authorize private rights of action under HIPAA, the negligence per se count should have been dismissed. The federal court disagreed. It stated that even though Congress didn’t provide for a private right of action, it didn’t expressly say it preempted state laws on the subject. Which means that if you write that HIPAA does not provide a private right of action, you should probably put an * next to it with a disclaimer that says:
*except in the state of Missouri, where apparently there is one!