Court Says Patients Can't Sue for HIPAA Privacy Breach

In May I wrote, “The Real Reason Physicians Must Comply With HIPAA,” using a hypothetical in which a physician’s office experienced a loss of protected health information (PHI) when its unencrypted computers were stolen.  

The point of the article, and the real reason physicians must comply with HIPAA, I noted, had very little to do with individual injury to privacy rights, and everything to do with protecting the financial system as a whole against the actions of criminals and thieves. 

The federal government simply doesn’t have much of an interest in an individual’s rights to damages.  HIPAA doesn’t create a private right to sue on the part of a patient whose information may have been stolen.  It creates a right to notification.  Fines under HIPAA, which can reach millions of dollars, go to the government, not the patient.  

It isn’t that the federal government doesn’t care about people, the question and comment section of the HIPPA regulations indicates that the Department of Health and Human Services had some doubts regarding whether the federal government could enact laws and regulations creating private causes of action, when this is typically the province of state law. 

For this reason, states were encouraged to pass their own versions of HIPAA, which might   create private causes of action, modeled after HIPAA’s privacy, security, and breach notification rules. 

Illinois is one state that has enacted a state version of HIPAA.  Illinois law also contains provisions that might give an individual a right to sue under Illinois law, assuming the individual has been damaged due to a loss of PHI. 
  
A recent Illinois case dealt with the theft of four laptops from Advocate Medical Group.  It was alleged that the computers were not encrypted and that private health information, social security numbers, and other data was lost and could potentially be used by thieves in a way that could harm patients.  

The question was whether the mere potential that thieves might access and use the data for illegal purposes was sufficient enough to support a class action lawsuit by the individual patients. 

The Illinois court answered, “No.” The plaintiffs had not alleged that their data had actually been accessed and used for an unauthorized purpose.  For this reason they could not allege an injury-in-fact.

The court reasoned that the plaintiffs must establish that injury was “distinct and palpable” and “fairly traceable” to the defendant’s actions.  Being subject to increased risk of identity theft and/or fraud due to the exposure of their personal information was not enough. The court further stated that “The harm that plaintiffs fear is contingent on a chain of attenuated hypothetical events and actions by third parties independent of the defendant.”

Relying on several state and federal cases, the court noted that “[a]lthough plaintiffs do not need to show that they are ‘literally certain’ they will be victims of identity theft and/or fraud, they have not alleged facts that would plausibly establish an ‘imminent’ or ‘certainly impending’ risk that they will be victimized.  The mere fact that the risk has been increased does not suffice to establish standing.”

The Illinois case is among a growing trend in case law, which seems to restore some sanity to what the courts consider an over-hyped risk to the individual patient.  Just because a person could be harmed, doesn’t mean he has been harmed.

In my view, the Office for Civil Rights participates in a bit of rousing of the rabble, as a means to convince providers to pay attention and do what they are required to do:  actually protect health information from thieves.  That’s not a bad thing.   Patients who believe this hype, however, might come away feeling a bit manipulated, when made to realize there is no actual federal private right to sue for damages, and all the laws in the world won’t compensate them for merely potential, but not actual loss.