Patients who think that HIPAA Rules have been violated can file a compliant to the Department of Health and Human Services’ Office for Civil Rights (OCR), but they do not have permission to take legal action, at least not for the HIPAA breach. There is no individual private cause of action included in HIPAA law.
Several patients have initiated lawsuits over alleged HIPAA violations, although the cases have not been won. A recent case has confirmed once more that there is no private cause of action in HIPAA, and lawsuits filed only on the basis of a HIPAA violation are extremely unlikely to be won.
Ms. Hope Lee-Thomas submitted the lawsuit for an alleged HIPAA violation that happened at Providence Hospital in Washington D.C., where she received treatment from LabCorp. Ms. Lee-Thomas, who represented herself in the case, claims that while at the hospital on June 15, 2017, a LabCorp employee told her to enter her protected health information at a computer intake station.
Ms. Lee-Thomas advised the LabCorp employee that the information was in full view of another person at another computer intake station and took a photograph of the two computer intake stations.
On July 3, 2017, Ms. Lee-Thomas filed a complaint with the hospital alleging a violation of HIPAA and submitted a complaint with the HHS’ Office for Civil Rights. Later, a complaint was filed with the District of Columbia Office of Human Rights (OHR) arguing that the hospital had failed to make appropriate accommodations for patients to maintain their privacy.
On November 15, 2017, the HHS advised Ms. Lee-Thomas that her claim would not be pursued and OHR similarly struck out her complaint on November 28, 2017, in both cases on the basis that she did not state a claim. OHR suggested Ms. Lee-Thomas had the right to bring a private action before the D.C. Superior Court and she done.
LabCorp sent the case to the U.S. Court of Appeals for the District of Columbia Circuit, and submitted a motion to dismiss, again for the failure to state a claim. Ms. Lee-Thomas did not respond to the motion to dismiss.
In a June 15 ruling, District Court Judge Rudolph Contreras said that HIPAA does permit financial penalties to be issued when patients’ privacy is violated in breach of HIPAA Rules, but civil and criminal fine are pursued by the Department of Health and Human Services’ Office for Civil Rights and state attorneys general. In his ruling, Judge Contreras said that here is no private cause of action in HIPAA.
Even if a private cause of action exited, it would be unlikely that this case would have been successful as no damage appears to have been caused due to the alleged HIPAA violation.
While lawsuits are likely to be dismissed when founded on HIPAA violations alone, that does not mean legal action cannot be initiated by patients whose privacy has been breached. There is no private cause of action in HIPAA, but the privacy of personal information is covered by state legislation.
Laws have been introduced in all 50 states that require alerts to be issued to consumers when their personal information has been exposed, and several states also require groups to implement ‘reasonable safeguards’ to ensure personal data of state residents are secured.
A HIPAA violation can be reported to OCR to review, and action may be taken against the covered group in question by OCR, but if the sole basis of any legal action is a breach of HIPAA Rules, the case is unlikely to be successful.
Victims of privacy breaches who wish to take legal action should look at possible violations of state laws rather than HIPAA breaches.