A U.S. district court judge in Washington, D.C., on June 15 dismissed a case by a patient who alleged Laboratory Corporation of America, or LabCorp, violated HIPAA, reaffirming the precedent that individual patients cannot file lawsuits for alleged HIPAA violations, according to GovInfoSecurity.
Here are five things to know about the case:
1. The district court's ruling dismissed a lawsuit filed by a patient of Washington, D.C.-based Providence Hospital. According to the lawsuit, the patient underwent laboratory testing from LabCorp during a June 2017 hospital visit. During the visit, the former patient said she was instructed to submit medical information at a computer intake station that was allegedly within eyesight and earshot of a second patient using a separate intake station.
2. In July 2017, the patient sent a letter to Providence Hospital arguing the incident at the computer intake station constituted a possible HIPAA privacy violation. She proceeded to file a complaint with HHS' Office for Civil Rights, arguing LabCorp's alleged failure to make proper "public accommodations" to ensure HIPAA-compliant facilities violated the data privacy and security legislation.
3. HHS notified the patient in November 2017 the office would not pursue her complaint. The June 15 ruling noted, "LabCorp's alleged HIPAA violation is the only cause of action" included in the case, and that given "the clear consensus among courts that have addressed the question, no private action exists under HIPAA, and accordingly, [the patient] has failed to state a claim upon which relief can be granted."
4. Regulatory and privacy attorneys who spoke with GovInfoSecurity said the ruling reaffirmed the precedent only the OCR and state attorneys general can file lawsuits against healthcare organizations for alleged HIPAA violations, not individual patients.
"Time and time again, courts have said there is nothing in the statutory language [of the HIPAA rules] allowing private individuals to bring private action for HIPAA violations," said regulatory attorney Elliot Golding of the law firm Squire Patton Boggs.
5. Individual patients are able to pursue lawsuits seeking damages under various state laws in the case of a potential healthcare data breach. For example, all 50 states have data breach notification laws.
"It's extremely important to note that although HIPAA does not have a private right of action, many state laws require entities, both healthcare entities and others, to implement HIPAA-like protections for consumer data, and have stiff penalties," said privacy attorney Iliana Peters of the law firm Polsinelli.