A federal judge recently affirmed that HIPAA does not provide a mechanism for individuals to sue when they believe their privacy rights have been violated. However, the decision probably will not stop individuals from thinking they have the right to sue.
The supposed private right to action under HIPAA has confused people since the law’s inception, explains Nathan A. Kottkamp, JD, a partner with McGuireWoods.
The case involved a plaintiff who had been treated at a Washington, DC, hospital in 2017, during which staff instructed her to complete an online form at a computer workstation. The plaintiff thought the information could be seen by other patients in the area. She filed complaints with HHS, the hospital, the laboratory testing company the hospital used, and the District of Columbia Office of Human Rights. She claimed that the hospital and lab company failed to make proper public accommodations for patients.
The federal court recently followed the pattern of previous courts by telling the plaintiff HIPAA does not allow such lawsuits from individuals. The courts have been clear in confirming there is no private right of action, which means a healthcare entity cannot be sued for a HIPAA violation by a patient, Kottkamp explains.
“That is often a huge surprise to members of the public. They see HIPAA information all the time, and they often are shocked to think that if this is such a big, important federal law, why can’t I sue if I believe my rights have been violated?” Kottkamp says. “I probably get an average of a call a month from people who believe their HIPAA rights have been violated, and they want to sue. I have to tell them, ‘Sorry, there’s nothing you do can other than filing a complaint with the OCR.’”
Plaintiffs also have tried to use HIPAA violations as a starting point for other lawsuits related to privacy matters, essentially saying HIPAA represents the most fundamental level of privacy patients should expect. If there were HIPAA violations, plaintiffs often believe there were de facto violations of more strict state privacy regulations. Those cases have not been very successful, either, Kottkamp says.
“Providers need to know that a patient’s inability to sue over HIPAA violations is no reason to be lax about compliance. Sometimes, the reputation damage and exposure in the media can be more costly than any civil penalties you might have incurred,” Kottkamp warns. “If someone goes on social media and says you don’t care about patient privacy, that could be very costly.”