A recent district court case in Missouri may allow patients to use the Health Insurance Portability and Accountability Act as a basis of a private cause of action in state courts, according to a McGuireWoods report.
Courts have held that HIPAA does not create a federal law private right of action, meaning a patient's only recourse under federal law is by filing a complaint with the Office of Civil Rights, says Nathan Kottkamp, partner at McGuireWoods. In I.S. v Washington University, though, the plaintiff could form a state law case.
According to the report, the plaintiff in the case alleged Washington University unlawfully released certain medical records to the plaintiff's employer, resulting in harm to the plaintiff. The plaintiff only relied on HIPAA to meet the required elements of the claim: "1) a violation of a statute; 2) the injured plaintiff was a member of the class of persons intended to be protected by the statute; 3) the injury complained of was of the kind the statute was designed to protect; and 4) the violation of the statute was the proximate cause of injury," the release noted. The plaintiff then said its reference to HIPAA established the "legal duty of care" and that the case should go to state court. The court agreed.
While the I.S. v Washington University is not the first case to show HIPAA can be referenced as a basis for a state law claim, it could bring about a lot of claims, Mr. Kottkamp says. "What this case does, it says aside from the fact there isn't a private right of action in HIPAA, a patient may under certain circumstances have a state law claim and use HIPAA as one of the bases of establishing a duty or standard of care," Mr. Kottkamp says.
Hospitals and providers need to take HIPAA even more seriously because of its universal application, he says.
"Providers need to treat HIPAA forms as something that really matters as opposed to an exercise they do with every patient," Mr. Kottkamp says. "HIPAA is a scary law as it is, but to think patients can sue providers in state court for a HIPAA violation makes things even scarier."
However, he says hospitals can do the following to protect themselves and ensure HIPAA compliance:
• Systemically and periodically look back at HIPAA documents.
• Make sure HIPAA documents are in plain language and are consistent.
• Have policies and procedures in place for general risk management.
Read more about the Missouri district court decision regarding HIPAA.
Related Articles on HIPAA:
Most HIPAA Violations Occur Outside Cloud-Based EHRs
Proposed HIPAA Change Would Allow People to Learn Who Accessed Protected Health Information
Omnibus HIPAA Final Rule Will Not Mandate Encryption of Personal Health Information
Courts have held that HIPAA does not create a federal law private right of action, meaning a patient's only recourse under federal law is by filing a complaint with the Office of Civil Rights, says Nathan Kottkamp, partner at McGuireWoods. In I.S. v Washington University, though, the plaintiff could form a state law case.
According to the report, the plaintiff in the case alleged Washington University unlawfully released certain medical records to the plaintiff's employer, resulting in harm to the plaintiff. The plaintiff only relied on HIPAA to meet the required elements of the claim: "1) a violation of a statute; 2) the injured plaintiff was a member of the class of persons intended to be protected by the statute; 3) the injury complained of was of the kind the statute was designed to protect; and 4) the violation of the statute was the proximate cause of injury," the release noted. The plaintiff then said its reference to HIPAA established the "legal duty of care" and that the case should go to state court. The court agreed.
While the I.S. v Washington University is not the first case to show HIPAA can be referenced as a basis for a state law claim, it could bring about a lot of claims, Mr. Kottkamp says. "What this case does, it says aside from the fact there isn't a private right of action in HIPAA, a patient may under certain circumstances have a state law claim and use HIPAA as one of the bases of establishing a duty or standard of care," Mr. Kottkamp says.
Hospitals and providers need to take HIPAA even more seriously because of its universal application, he says.
"Providers need to treat HIPAA forms as something that really matters as opposed to an exercise they do with every patient," Mr. Kottkamp says. "HIPAA is a scary law as it is, but to think patients can sue providers in state court for a HIPAA violation makes things even scarier."
However, he says hospitals can do the following to protect themselves and ensure HIPAA compliance:
• Systemically and periodically look back at HIPAA documents.
• Make sure HIPAA documents are in plain language and are consistent.
• Have policies and procedures in place for general risk management.
Read more about the Missouri district court decision regarding HIPAA.
Related Articles on HIPAA:
Most HIPAA Violations Occur Outside Cloud-Based EHRs
Proposed HIPAA Change Would Allow People to Learn Who Accessed Protected Health Information
Omnibus HIPAA Final Rule Will Not Mandate Encryption of Personal Health Information