Consumer Recourse for HIPPA Privacy Rights Violation

Author: LegalEase Solutions

Issue

What is consumer’s recourse against the hospital for violation of their HIPPA rights?

Facts

A pedestrian was hit by a motor vehicle and killed.  The ER nurse who treated him learned that there were illegal drugs in his blood and that no family members claimed his body for several days.  She told this to her husband who posted this embarrassing private information on a local blog on the internet.

Analysis

A patient has a right of privacy in the confidentiality of his medical records even after his death and these rights may be asserted by the decedent’s survivors. Marsh v. County of San Diego, 2007 U.S. Dist. LEXIS 76260 * at 6-7 (S.D. Cal. Oct. 15, 2007); Powell v. United States, 584 F.Supp. 1508, 1526 (N.D. Cal. 1984); See Nat’l Archives & Records Admin. v. Favish, 541 U.S. 157, 170 (U.S. 2004).

However, HIPPA doesn’t afford one the right to sue under it for violations of one’s privacy rights under HIPPA. In other words, you do not have a “private right of action.” Only the HHS or the U.S. Department of Justice has the authority to file an action for violations of the Privacy Rule. All you can do is complain to the one who violates your privacy or to the HHS. http://www.hhs.gov; 65 FR 82566. However, you may be able to sue under state law using the HIPAA privacy rule to establish the appropriate standard of care.

HITECH

On February 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009 (the “Recovery Act”).  Title XIII of the Recovery Act is known as the Health Information Technology for Economic and Clinical Health Act (“HITECH”).  Among other provisions, HITECH modified certain parts of the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

HITECH also provides broader and more severe penalties for HIPAA violations. More relevant to the case before us is that HITECH now allows individuals harmed by HIPAA violations to share in the monetary penalties ultimately collected for the violations. “(3)…Not later than 3 years after the date of the enactment of this title, the Secretary shall establish by regulation and based on the recommendations submitted under paragraph (2), a methodology under which an individual who is harmed by an act that constitutes an offense referred to in paragraph (1) may receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense.” Section 13410 of HITECH.

POTENTIAL STATE REMEDIES

            There have been instances of plaintiffs suing under state legal theories and attempting to use HIPAA as the standard of care. Often doing so under either an invasion of privacy cause of action or negligence theory. However, we did not find many Michigan cases with such causes of action and none that proved succesful. Riopelle is one such case where the plaintiff sued on a HIPAA violation through Michigan’s invasion of privacy tort. Riopelle v. Zittel, No. 275403 (Mich. App. 5/20/2008) (Mich. App., 2008). However, many of the torts were dismissed because it was found that the defendant had governmental immunity while the HIPAA violation was remanded to trial court.

Based on a survey of online literature with respect to such a claim, it appears that the main challenge an attorney faces with such claims and thus their reluctance to take on such cases is often the lack of documented and provable damages.

In conclusion, while an individual does not have a right to private action under HIPAA, they may now share in the violation fees collected as a result of HIPAA violations. Further, although there is little case law or precedent, one can attempt to sue under other legal theories such as negligence or invasion of privacy and seek that Defendants are held to a HIPAA standard of care.