HIPAA Liability Not Limited to Federal Violations

November 27, 2014

Court signals federal HIPAA violations do not prevent claimants from bringing a state common-law suit; cautions physicians on the extent of practice liability.

I often write about case law because of the importance to healthcare providers and the adverse impact a similar violation can have on both reputation and finances. This week's case is no exception.

The 11th Circuit Court of Appeals in Connecticut held that the state law negligence claim was not preempted by HIPAA. (Byrne v. Avery Ctr. for Obstetrics and Gynecology, PC, No. SC 18904 (Conn. Nov. 11, 2014).

"Specifically, the operative complaint in the present case alleges that the defendant:

(1) Breached its contract with her when it violated its privacy policy by disclosing her protected health information without authorization;

(2) Acted negligently by failing to use proper and reasonable care in protecting her medical file, including disclosing it without authorization in violation of General Statutes § 52-146o and the department's regulations;

(3) Made a negligent misrepresentation, upon which the plaintiff relied to her detriment, that her medical file and the privacy of her health information would be protected in accordance with the law; and

(4) Engaged in conduct constituting negligent infliction of emotional distress."

The court reversed the trial court's holding and indicated that a HIPAA violation did not preempt a state common-law negligence claim; § 52-146o may be used as a base to establish the standard of care; and they were declining to opine as to whether the statute provides such a private right of action.

What does this mean? First, state common-law claims involving HIPAA have been upheld in both state and federal courts. Second, the concept of preemption - where federal law supersedes state law, making the state law cause of action not viable - in this instance is not valid.

This is an important concept and should not be overlooked because the Omnibus Rule expressly states that federal HIPAA is the ground and state HIPAA laws can go beyond, they just cannot contradict federal HIPAA. "Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462, 82,582 (December 28, 2000). In its administrative commentary to the final rule as promulgated in the Federal Register, the department responded to this question by stating, inter alia, that ''the fact that a state law allows an individual to file [a civil action] to protect privacy does not conflict with the HIPAA penalty provisions,'' namely, fines and imprisonment. (Emphasis added.) Id. This agency commentary on final rules in the Federal Register is significant evidence of regulatory intent."

By looking at the regulatory intent, the court concluded that the state law claims "do not preclude, conflict with, or complicate healthcare providers' compliance with HIPAA." Meaning that claims brought under state law causes of action do not conflict with federal HIPAA obligations and cases can be brought related to both. Again, this means that compliance with HIPAA may help physicians defend themselves against state law causes of action, too.