HIPAA — It's Not Just for Federal Courts Anymore
For the first time, a federal circuit court of appeals has confirmed that Congress did not create a private right of action under the Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C.A. § 1320d-1, et seq. In Acara v. Banks, 470 F.3d 569, 571 (5th Cir. 2006), the Fifth Circuit held:
"HIPAA does not contain any express language conferring private rights upon a specific class of individuals. Instead, it focuses on regulating persons that have access to individually identifiable medical information and who conduct certain electronic health transactions. Because HIPAA specifically delegates enforcement, there is a strong indication that Congress intended to preclude private enforcement."
Premising federal subject-matter jurisdiction on the HIPAA statute, plaintiff Margaret Acara filed a claim in Louisiana Federal Court against her physician for allegedly disclosing Acara's private medical information without her consent during a deposition. However, the trial court dismissed Acara's claims on the grounds that it did not have jurisdiction over the dispute since there was no private right of action under HIPAA. The Fifth Circuit agreed and affirmed the trial court's ruling.
The Fifth Circuit's holding that HIPAA precludes private lawsuits is consistent with the positions uniformly taken by other federal courts that have addressed the subject in previously published opinions. As federal courts close their doors to private HIPAA claims, plaintiffs increasingly will turn to state courts to remedy a perceived HIPAA violation.
The Acara ruling is limited to the existence of a private claim brought under HIPAA for a HIPAA violation. It does not preclude private claims based on HIPAA violations that are brought under state law. Persons responsible for safeguarding protected health information should understand that HIPAA guidelines still can play an important role in establishing the legal standard of care in state law actions for conduct that essentially amounts to violation(s) of HIPAA. Federal and state courts in Alabama, Mississippi, and Georgia routinely use federal securities law standards to establish the applicable legal standard of care in state securities fraud lawsuits. The short mental leap to apply HIPAA standards to the equivalent state law privacy, emotional distress, and/or negligence actions already has been taken by some courts outside of Alabama in cases such as Acosta v. Byrum, No. COA06-106, (North Carolina state court action, 2006) and Bigelow v. Shockley, No. Civ. A. 04-2785, (federal court in Louisiana, 2005).
In the Acosta case, a former patient filed state law privacy and negligence claims against a clinic staff member, who allegedly gained access to the patient's medical file and then shared her private medical information with third parties, and against the physician who allegedly granted the access. In reviewing the trial court's dismissal of the case for the plaintiff's failure to plead her claims sufficiently, the Acosta court noted that, because North Carolina (like Alabama) is a notice pleading state, the plaintiff need only provide "notice of how she plans to establish the duty that was negligently breached." The court then held that "defendant has been placed on [sufficient] notice that plaintiff will use the rules and regulations of the [hospital and health system] and HIPAA to establish the [state law] standard of care."
In Bigelow, a husband and wife brought privacy and negligence claims against hospital employees alleging that, while the husband was under anesthesia, the employees had demeaned him and publicly had posted pictures of him in that condition. Because the complaint also alleged a violation of HIPAA regulations, the defendants removed the case to federal court. However, in remanding the action back to state court, the Bigelow court observed that "it is clear that the Bigelows' reference to violations of HIPAA was made purely within the context of their asserted state law privacy and negligence claims. The alleged violation of HIPAA was referenced only as an element of the petition's state law negligence and privacy causes of action."
Courts currently agree that HIPAA does not provide a private right of action for patients whose identifiable medical information has been disclosed improperly. That consensus provides limited comfort, however, because the very absence of such a federal remedy makes it more likely that courts will permit HIPAA to be used to establish the applicable standard of care in state law actions seeking to redress HIPAA violations. Undoubtedly, HIPAA's impact will continue to grow and be felt beyond just the four corners of the statute itself.