With HIPAA, State Requirements as Important as Federal Ones

April 25, 2013

When considering HIPAA, physicians should include state law claims for inappropriate access to medical records.

On April 1, 2013, the U.S. Supreme Court declined to review a November 2012 decision by the West Virginia Supreme Court of Appeals. (SeeR.K. v. St. Mary’s Med. Ctr., Inc., No. 11-0924 (W. Va. Nov. 15, 2012)). When certiorari, as the requested review of the Supreme Court is denied, it means that the decision reached in the case before it is allowed to stand. In turn, it means that the law is binding in West Virginia. It may also be used by other states to formulate policies and as persuasive law in other jurisdictions, if this issue has not been addressed or it is being used as a basis to render a different outcome in court.

The underlying ruling is significant and should be another reason for physicians to comply with HIPAA and the HITECH Act and the requisite disclosure protocols. As the West Virginia Supreme Court found, "plaintiff’s claims would not have made it impossible for defendant to comply with both the state and federal requirements. In fact, the high court observed plaintiff’s state law claims could actually compliment HIPAA by enhancing penalties for its violation, thereby encouraging HIPAA compliance." [American Health Lawyers Association, "Supreme Court Lets Stand Ruling Finding No HIPAA Preemption of State Law Claims for Inappropriate Access to Medicare Records," Health Lawyers Weeklysubscription required, Vol. XI, Issue 13 (Apr. 5, 2013)]

The case stemmed from a wrongful disclosure of confidential information relayed by plaintiff while he was a patient, which was never previously disclosed, including to his estranged wife. No authorization was given for anyone to view the protected health information (PHI). Unfortunately, employees of St. Mary’s Medical Center improperly accessed the information and disclosed it to the estranged wife and her divorce attorney. At first, his state common law claims for various negligence actions, invasion of privacy, and punitive damages were dismissed by the circuit court; however the West Virginia High Court indicated that the there were no contradictions in the state law claims and the federal HIPAA claims. Rather, the state law claims were not preempted by federal HIPAA privacy and security laws and enhanced their purpose. Therefore, consideration should be given to liability under the federal HIPAA statute, as well as state statutes and related common law causes of action.