Case Law Update: Just Because HIPAA Does Not Provide a Private Right of Action, Doesn't Mean that Other Avenues Exist
Simply stated, the Health Information Portability and Accountability Act (HIPAA) does not provide a private cause of action[1]. And, prior to the 2009 passage of the Health Information Technology for Economic and Clinical Health Act (HITECH Act)[2]and the more robust chain of liability (e.g. covered entities, business associates and subcontractors) under the Breach Notification Rule, several courts had held this notion to be true.[3]
Over the past decade, a shift has occurred where state and federal courts are holding that healthcare providers who breach HIPAA and other cybersecurity provisions may be pursued for a variety of common law claims including: negligence, emotional distress, breach of confidentiality, invasion of privacy, contract violations, and punitive damages.[4] The premise for bringing a cause of action for privacy violations stems from the fundamental source of American jurisprudence - the United States Constitution.
In re Columbia Valley Regional Medical Center, 41 S.W.3d 797, 802 (2001) established that, "there is a constitutional right of privacy in this case. Apart from any statutory or evidentiary privileges that apply, the medical records of an individual have been held to be within the zone of privacy protected by the United States Constitution."
See In re Xeller, 6 S.W.3d 618, 625 (Tex. App. - Houston [14th.] 1999, orig. proceeding) (citing Alpha Life Ins. Co. v. Gayle, 796 S.W.2d 834, 836 (Tex. App. - Houston [14th Dist.] 1990 no writ). Recent cases that uphold this motion include:
- Byrne v. Avery Center for Obstetrics and Gynecology SC 18904 (Nov. 11, 2014) - A patient advised her doctor not to provide any information to her significant other because of a paternity suit. The significant other's attorney issued a subpoena and the health center, instead of alerting the patient or fighting the subpoena, simply handed over the records. The Connecticut Supreme Court held that HIPAA does not preempt against negligence claims and may be utilized in establishing the applicable standard of care.
-
Acosta v. Byrum, 638 S.E.2d 246 (N.C. Ct. App. 2006) - A patient was treated by a physician who gave his access code to a third party, who in turn, viewed his records. The North Carolina Court of Appeals held that a privacy violation based on HIPAA violations was not a malpractice claim, so no expert certification was necessary; and HIPAA may be utilized in establishing the applicable standard of care.
- John Smith v. Arvind R. Datla, et al., Case No. A-1339-16T3 (Superior Court of New Jersey Appellate Division (Jul 12, 2017) - The judge kept alive a suit accusing a physician for disclosing a patient's HIV status without the patient's consent to an unauthorized third party.
These cases underscore the importance of compliance with HIPAA and the HITECH Act. Actions brought by the Federal Trade Commission, class action law suits and Securities and Exchange Commission requirements were not discussed. The take-away is that HIPAA, the HITECH Act, and other cybersecurity violations can and do form the basis of a wide variety of causes of action. Therefore, underscoring the need to be proactive instead of reactive.
This Week's Audit Tip Written By:
Rachel V. Rose, JD, MBA
Rachel V. Rose, Attorney at Law, PLCC
Rachel V. Rose, JD, MBA, is a Houston, TX-based attorney advising on federal and state compliance and areas of liability associated with a variety of healthcare, legal and regulatory issues including: HIPAA, the HITECH Act, the False Claims Act, Medicare issues, women's health as well as corporate and security regulations.
Article Resources:
[1] 42 USC § 1320d (1996).
[2] Pub. L. 111-5, Sec. 13001 (Feb. 17, 2009).
[3]Valentin-Munoz v. Island Fin. Corp., 364F. Supp. 2d 131, 136 (D. Puerto Rico 2005);
Univ. of Co. Hosp. Auth v. Denver Publ'g Co., 340F. Supp. 2d 1142, 1145-46 (D. Colo. 2004).
|
|
|
Join NAMAS for the 9th Annual Auditing & Compliance Conference December 2017 in Orlando, FL!
Conference Information Pre-Conference: Tuesday, December 5
Conference: Wednesday, December 6 - Friday, December 8
Venue: Loews Sapphire Falls Resort Orlando, FL Click Here to View the Conference AgendaLearn from the best in the industry, network with your peers and visit with our hand picked group of industry relevant exhibitors all in the gorgeous Caribbean inspired backdrop of the Loews Sapphire Falls Resort Conference Pricing - Available Through September 30, 2017 Only NAMAS Member
Conference Only: $1145 Pre-Conference & Conference: $1395 Non Member Conference Only: $1245 Pre-Conference & Conference: $1595
Plus, Don't Miss Your Opportunity to Be a Conference VIP!
This year, we are proud to offer a limited number of VIP package add-ons available to all attendees at the nominal rate of $129. Add on the VIP experience to your conference registration today! As a Conference VIP, you'll receive:
- A VIP registration line for faster check-in
- A VIP branded name badge to wear during conference sessions
- Registration to our EXCLUSIVE VIP Brunch & Session occurring the morning of Wednesday, December 6 before general session begins. This exclusive training will be presented by Frank Cohen
- Admission to our VIP ONLY EVENT - occurring the evening of Thursday, December 7. Enjoy a relaxing evening of entertainment, dancing, food and networking in the Caribbean inspired Sapphire Falls Resort
- Additional $500 in NAMAS Bucks! Use NAMAS Bucks to bid on a variety of prizes available in our exhibit hall
And, as a special added bonus, all VIP attendees will receive a book of printed handouts for all NAMAS pre-conference & conference sessions. As a VIP, there's no need to print handouts before you arrive- Your book will be waiting for you upon your arrival!
There are only a limited number of VIP packages available to be issued on a first come, first served basis . Add on the VIP experience to your conference registration today!
|
|
|
NAMAS 9th Annual Auditing & Compliance
Conference Speaker Spotlight
Each week, we will spotlight a conference speaker and the session(s) he/she will be presenting. Join us for this year's conference December 6-8, 2017 in Orlando, FL at the Loews Sapphire Falls Resort!
Click the image above to learn more about conference
|
|
Sample what a NAMAS membership can offer you with our FREE 1-month LITE trial membership!
During your trial, you'll receive access to weekly webinars for a chance to earn up to 4CEUs, weekly auditing and compliance tips, and even an online sample of BCAdvantage magazine! Click the image above to get your 1-month free trial membership today!
|
|
|
|
As a NAMAS member, you'll receive access to monthly webinars for CEUs (including those hard to find CPMA CEUs!), a subscription to BC Advantage magazine, discounts on products and NAMAS training events, and much, much more!
We offer 4 membership levels- choose the one that best suits your needs!
For added convenience, NAMAS accepts PayPal, PayPal Credit, quarterly and monthly payments of membership dues.
|
|
|
Our Medical Auditing Bootcamp will train you to become a medial auditor. Learn the principles of auditing, compliance regulations, and how to perform the daily duties of an auditor. Our 2-day ONSITE Medical Auditing Bootcamps are scheduled as follows: August 17 & 18: Asheville, NC October 12 & 13: Columbia, SC and more! We also offer this bootcamp as a 5 week LIVE ONLINE Saturday course. Each class is 3 hours and 15 minutes in length. Our next online course begins September 23, 2017! Click Here to Learn More & View Our Medical Auditing BootCamp Schedule
|
|
|
Our 2- Day E&M Auditing Bootcamp is an accelerated auditing training specific to E&M auditing. Learn about audit policies, get clarity on documentation guidelines, medical decision making, medical necessity and more. Plus, during this training program you will have the opportunity earn our NEW CREDENTIAL - Certified Evaluation and Management Auditor (CEMA)!
Our 2-Day E&M BootCamps are scheduled as follows: September 12 & 13: Savannah, GA
October 10 & 11: Phoenix, AZ
November 7 & 8: Cincinnati, OH
November 14 & 15: Salt Lake City, UT
And more!
|
|
|
3- Day Online E&M Auditing BootCamp
August 16 - 18, 2017
We will be offering our E&M Auditing BootCamp ONLINE
August 16, 17 & 18
from 1pm EST - 5pm EST each day
This LIVE online class will provide 12 hours of in-depth E&M education, the same education as our on-site bootcamps.
In addition, you will have the option to take our Certified Evaluation & Management Auditor (CEMA) exam online as well!*
*There is an additional $35 online testing fee for the use of our remote proctoring option
|
|
FREE WEBINAR- 1 CEU
CERT: It's More Than Just a Mint Speaker: Frank Cohen
Register for our Upcoming FREE Webinar
1 CEU Available
CERT: It's More than Just a Mint
Thursday, August 24
2pm EST
During this FREE webinar, Frank Cohen, healthcare statistician and risk analyst, will walk you through the most recent CERT study, emphasizing how auditors use the results to target the practice and how you can use the same information to prepare for the audit when it occurs.
|
|
Weekly Tip Sponsor
Since 1956, DoctorsManagement, a medical and health care consulting firm, has helped physicians in all specialties with health care, dental and medical practice management services in virtually every state across America. Click the logo above to learn more
|
|
|
|