by Ryan Knox1
Patients expect their health information to be kept private. In the digital age where hacks of health information are increasingly common,2 companies possessing health information must take steps to protect that information.3 Federal law, specifically the Health Insurance Portability and Accountability Act (HIPAA),4 provides some guidance for companies on how to protect electronically-held health information.
HIPAA applies to protected health information that is in the possession of a covered entity (a healthcare provider, a health plan, or a healthcare clearinghouse) or its business associate.5 Covered entities and business associates in possession of health information are required to take reasonable steps so protect this information and ensure it remains confidential.6 Under HIPAA, in the event of a data breach, companies are required to notify those whose data has been disclosed.7
Only the Department of Health and Human Services (HHS) and the state attorneys general can enforce HIPAA violations.8 Individuals have been left with limited recourse following health information data breaches. With data breaches becoming increasingly common, individuals have attempted to circumvent HIPAA’s lack of individual enforcement power by bringing negligence per se claims under state law based on violations of HIPAA.9 This is contrary to the aims and framework of HIPAA. Therefore, this Contribution argues that states should not allow negligence per se claims brought based on violations of HIPAA.
* * * * *
General common law negligence is failing to do what a reasonable person would in a similar situation, breaching a duty of care.10 There are four elements to negligence: “(1) a preexisting duty or standard of care, (2) a breach of that duty, and (3) damages (4) caused by that breach of duty.”11 One type of negligence, and the focus of this Contribution, is negligence per se.
Negligence per se is a “negligence claim with a statutory standard of care substituted for the common law standard of care.”12 In a negligence per se case, the dispositive question is not “whether the defendant acted as an ordinarily prudent person would have acted under the circumstances,”13 but rather “whether the relevant statute or regulation has been violated.”14 If the defendant violated the statute, then “the defendant was negligent as a matter of law.”15
Although, federal statutes may support state tort claims,16 violations of any given statute do not necessarily amount to a claim of negligence per se. States can restrict the scope of negligence per se claims in their state. For example, in Kentucky, only state statutes are permitted to serve as a basis for negligence per se.17 In Florida, only statutes that provide a private right of action can be the basis of a negligence per se claim.18 While individual state statutes may have particular influence on the permissibility of these state negligence claims, this Contribution focuses on the aspects of HIPAA that weigh against violations of HIPAA serving as the sole basis of negligence per se claims.
* * * * *
HIPAA lacks a private right of action.19 Only the Department of Health and Human Services and state attorneys general have the power to enforce HIPAA violations.20 In 2009, Congress increased protections for medical information with the Health Information Technology for Economic and Clinical Health Act (HITECH Act).21 Importantly, Congress did not add a private right of action to HIPAA with their revisions in HITECH.
Because HIPAA specifically delegates enforcement to the Department of Health and Human Services and the State Attorneys General, “there is a strong indication that Congress intended to preclude private enforcement.”22 Congress has the power to define injuries” so that plaintiffs will have standing when they would not otherwise.23 Congress does this by giving “a person a statutory right and purport[ing] to authorize that person to sue to vindicate that right.”24
Courts cannot create a private right of action in a statute where one does not exist.25 Congress has chosen not to create such a right in HIPAA. If Congress intended to have private parties enforce HIPAA “then it should amend the statute to conform it to its intent” and add a private right of action.26 Courts have recognized this and, accordingly, have repeatedly dismissed negligence per se claims based on alleged HIPAA violations.27
In Sheldon v. Kettering Health Network, a patient sued the hospital for negligence per se and invasion of privacy.28 The court found that HIPAA did not preempt negligence claims based on alleged HIPAA violations, but the violation did not constitute negligence per se., The court decided that while the violation could be evidence of negligence, it could not provide the basis for negligence per se, as allowing a negligence per se claim based on a violation of HIPAA would be “tantamount to authorizing a prohibited private right of action for violation of HIPAA itself.”29 Other courts have followed Sheldon and declined to permit negligence per se claims based on alleged HIPAA violations.30
Some courts have permitted negligence per se claims based on HIPAA violations to move forward. However, these cases are inapposite. The court in K.V. v. Women’s Healthcare Network, LLC, considered whether a negligence per se claim based on violations of HIPAA and a state statute could be heard in federal court.31 The court remanded the case to state court as the mere mention of HIPAA did not confer federal question jurisdiction under Merrell Dow.32 It did not, however, hold that these negligence per se claims were permissible, as that was not the question before the court. Similarly, in I.S. v. Washington University, the question presented was whether the federal district court had subject matter jurisdiction under Merrell Dow and Grable & Sons Metal Products.33 Even though the court analyzed HIPAA’s lack of private right of action, this was in relation to conferral of jurisdiction, not the permissibility of the claim.
Many courts have allowed alleged HIPAA violations to inform the duty or standard of care in general negligence claims, particularly in instances where there was and underlying state right describing the duty.34 But where the negligence per se claim is based solely on HIPAA violations, there is nothing to inform and the claims cannot stand. If Congress wanted to provide individuals private rights under HIPAA, “then it should amend the statute to conform it to its intent.”35 Courts cannot create a private right of action or revise a statute based on their policy preferences.36 Permitting state law negligence per se claims based solely on HIPAA violations would effectively do just that.
* * * * *
Individuals bring negligence per se claims based on HIPAA violations in order to remedy their individual harms. HIPAA enforcement cases do not remedy individual harms resulting from breaches of health information; any financial penalties to the covered entity or business associate that disclosed private health information go to the government, not the individuals.37 The only individual recourse under HIPAA for victims of health information data breaches is filing a complaint with the HHS Office of Civil Rights.38 However, this does not provide a remedy to the individual privacy harm.39
While an individual may want a remedy under HIPAA, HIPAA did not in fact provide individual privacy rights. HIPAA allows for broader state privacy rights but only provides limited individual rights, such as the right to request records and to be informed of privacy breaches.40
Neither HIPAA nor the regulations developed by HHS under HIPAA “confer[ed] privacy rights upon a specific class of individuals.”41 Instead, the statute regulates “persons that have access to individually identifiable medical information and who conduct certain electronic health care transactions.”42 This is because HIPAA was enacted for the broader purpose of regulating covered entities to prevent the “improper disclosures of medical information,”43 not to redress an individual’s alleged harm. It would be incoherent for individuals to be able to sue for these non-existent individual rights under HIPAA. As such, individuals should not be allowed to bring negligence per se claims based solely on HIPAA violations.
Plaintiffs may argue that this leaves them without recourse for violations of their health information privacy. This is simply not the case. Removing negligence per se still leaves state law negligence claims where HIPAA informs the standard of care. Plaintiffs would still have to prove a common law duty and breach of that duty, which would be unnecessary in a negligence per se claim. Individuals also can bring other state law tort claims for invasion of privacy or breach of fiduciary duty.44 These common law torts do not infringe upon the intent and framework of HIPAA yet still provide individuals the potential for remedying their harm.
* * * * *
Congress did not intend for individual claims to be brought based on HIPAA. HIPAA, while known as a healthcare privacy law, does not itself provide individual privacy rights or remedies for violations of such rights. State law negligence per se claims are blatant attempts to bring claims under HIPAA which could not be brought directly. As such, courts should not permit negligence per se claims based solely on alleged violations of HIPAA. Instead, individuals should use other state law torts with HIPAA as potential evidence of the standard of care. This will be truer to HIPAA’s intent and framework.
1. Ryan Knox is a 3L at New York University School of Law and Executive Editor of N.Y.U. Proceedings. This piece is a commentary on the 2018 Southern Illinois University School of Law National Health Law Moot Court Competition held in Carbondale, Illinois. The views expressed in this article do not necessarily represent the views of the author on this point of law. Rather, this article is a distillation of part of one side of an argument addressed at the Southern Illinois University School of Law National Health Law Moot Court Competition. I would like to thank my competition partner, Ian Swenson, and the many classmates who helped us prepare for the competition for their thoughtful comments that assisted in the development of this Contribution.
2. Austin Rutherford, Byrne: Closing the Gap between HIPAA and Patient Privacy, 53 San Diego L. Rev. 201, 212 (2016) (citing Health Information Privacy Complaints Received by Calendar Year, U.S. Dep’t Health & Human Servs., http://www.hhs.gov/ocr/privacy/hipaa/enforcement/data/complaintsyear.html [https://perma.cc/48AJ-WP4B] (last visited Feb. 8, 2016)).
3. While companies are increasingly taking steps to protect health information, not all companies are required to do so under federal law. HIPAA only applies to covered entities and business associates, not every single company in possession of personal health information. As a result, not every single breach of health information can be brought under HIPAA. The 2018 National Health Law Moot Court Competition also considered whether the company—the prescription assistance program within a pharmaceutical company—was a covered entity or business associate under HIPAA, and, based on that, whether the company was governed by HIPAA and could violate it for the purposes of negligence per se. This Contribution does not address this additional complexity, and will focus only on whether negligence per se claims can be based on HIPAA violations.
4. Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104- 191, 110 Stat. 1936 (codified in scattered sections of 42 U.S.C.).
5. 45 C.F.R. § 160.103 (2014).
6. See 45 C.F.R. § 164.306(a)(1) (2015) (Privacy Rule); See 45 C.F.R. § 164.312 (2015) (Security Rule).
7. 45 C.F.R. § 164.404(b) (2015)
8. 42 U.S.C. § 1320d‑5.
9. The National Health Law Moot Court Competition problem also included general negligence claims under state law. This Contribution will not consider whether HIPAA can be used as evidence for standard of care for state law claims of general negligence.
10. Negligence, Negligence, Black’s Law Dictionary (10th ed. 2014).
12. Real Estate Marketing, Inc. v. Franz, 885 S.W.2d 921, 927 (Ky. 1994) overruled on other grounds by Giddings & Lewis, Inc. v. Indus. Risk Insurers, 348 S.W.3d 729 (Ky. 2011) (citing Atherton Condo. Apartment-Owners Ass’n Bd. of Dirs. v. Blume Dev. Co., 799 P.2d 250, 262 n.13 (Wash. 1990)).
13. Wendland v. Ridgefield Constr. Servs., Inc., 439 A.2d 954, 956 (Conn. 1981) (citing William L. Prosser, Law of Torts § 36).
16. See Grable & Sons Metal Prods., Inc. v. Darue Eng’g & Mfg., 545 U.S. 308, 318–19 (2005) (citing Merrell Dow Pharms., Inc. v. Thompson, 478 U.S. 804 (1986)). See also Restatement (Third) of Torts: Phys. & Emot. Harm § 14 cmt. A (Am. Law Inst. 2010) (explaining that the section on negligence per se “most frequently applies to statutes adopted by state legislatures, but equally applies to … federal statutes as well as regulations promulgated by federal agencies”)
17. See Young v. Carran, 289 S.W.3d 586, 589 (Ky. App. 2008) (quoting T & M Jewelry, Inc. v. Hicks ex rel. Hicks, 189 S.W.3d 526, 530 (Ky. 2006)).
18. See In re Cmty. Health Sys., No. 15-CV-222-KOB, 2016 U.S. Dist. LEXIS 123030, at *90 (N.D. Ala. Sept. 12, 2016).
19. See, e.g., Dodd v. Jones, 623 F.3d 563, 569 (8th Cir. 2010) (finding that a plaintiff’s claim failed because “HIPAA does not provide a private right of action”). See also Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 102 A.3d 32, 45 (Conn. 2014) (“‘It is by now well settled that the ‘statutory structure of HIPAA precludes implication of a private right of action.’”) (quoting University of Colorado Hospital Authority v. Denver Publishing Co., 340 F.Supp.2d 1142, 1145 (D. Colo. 2004)); Acara v. Banks, 470 F.3d 569, 571 (5th Cir.2006) (“Every district court that has considered this issue is in agreement that the statute does not support a private right of action.”).
20. See 42 U.S.C. § 1320d‑5.
21. Pub. L. No. 111–5, Div. A, Title XIII, Div. B, Title IV, 123 Stat. 226, 467 (2009).
22. Acara, 470 F.3d at 571 (citing Alexander v. Sandoval, 532 U.S. 275, 286–87 (2001)).
23. Massachusetts v. E.P.A., 549 U.S. 497, 516 (2007).
24. Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1549 (2016).
25. See Alexander v. Sandoval, 532 U.S. 275, 286–87 (2001).
26. Lamie v. United States Trustee, 540 U.S. 526, 542 (2004).
27. See, e.g., Young, 289 S.W.3d at 588 (“HIPAA does not create a state-based private cause of action for violations of its provisions.”); Weinberg v. Advanced Data Processing, Inc., 147 F. Supp. 3d 1359, 1365–66 (S.D. Fla. 2015) (“Florida courts have refused to recognize a private right of action for negligence per se based on an alleged violation of a federal statute that does not provide for a private right of action.”).
28. 40 N.E.3d 661 (Ohio Ct. App. 2015).
29. Sheldon v. Kettering Health Network, 40 N.E.3d 661, 672 (Ohio Ct. App. 2015).
30. See, e.g., Skinner v. Tel-Drug, Inc., No. CV-16–00236-TUC-JGZ (BGM), 2017 U.S. Dist. LEXIS 12427, at *8–10 (D. Ariz. Jan. 27, 2017).
31. K.V. & S.V. v. Women’s Healthcare Network, LLC, No. 07–0228-CV-W-DW, 2007 WL 1655734, at *1 (W.D. Mo. June 6, 2007).
32. Id. (citing Merrell Dow v. Thompson, 478 U.S. 804, 813 (1986)).
33. See I.S. v. Washington Univ., No. 4:11CV235SNLJ, 2011 WL 2433585, at *2 (E.D. Mo. June 14, 2011) (citing Merrell Dow v. Thompson, 478 U.S. 804 (1986); Grable & Sons Metal Prods. V. Darue Eng’g & Mfg., 545 U.S. 308 (2005)).
34. Bonney v. Stephens Memorial Hosp., 17 A.3d 123, 128 (Me. 2011); Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 102 A.3d 32, 35–36, 49 (Conn. 2014).
35. Lamie v. United States Trustee, 540 U.S. 526, 542 (2004).
36. See United States v. Locke, 471 U.S. 84, 95 (1985) (“But the fact that Congress might have acted with greater clarity or foresight does not give courts a carte blanche to redraft statutes in an effort to achieve that which Congress is perceived to have failed to do.”).
37. See Rutherford, supra note 2, at 201–211 (discussing Congress’ failure after HITECH to implement a method to provide individuals with a portion of civil fines).
38. See Rutherford, supra note 2, at 210; 45 C.F.R § 160.306 (2014).
39. See Rutherford, supra note 2, at 210–211
40. 45 C.F.R. § 160.203(b) (HIPAA preemption provision); 45 C.F.R. §§ 164.400–414 (request records); 45 CFR § 164.524 (notification of breaches).
41. Acara v. Banks, 470 F.3d 569, 571 (5th Cir.2006).
43. Id. (citing 42 U.S.C. § 1230d‑5, d‑6).
44. For a discussion of enforcing health privacy rights with state tort law and their relation to HIPAA and preemption issues, see Morgan Leigh Tendam, Note, The HIPAA-Pota-Mess: How HIPAA’s Weak Enforcement Standards Have Led States To Create Confusing Medical Privacy, 79 Ohio State L. J. 411 (2018). For a discussion of potential federal private rights of action to bring in the event of improper disclosure of health information, including data breaches, see Joshua D.W. Collins, Note, Toothless HIPAA: Searching for a Private Right of Action to Remedy Privacy Rule Violations, 60 Vanderbilt L. Rev. 199 (2007). For a discussion of how courts should use breach of confidence and other privacy torts to protect the rights of individuals harmed in data breaches, see Alicia Solow-Niederman, Beyond the Privacy Torts: Reinvigorating a Common Law Approach for Data Breaches, Yale L. J. F. 614 (2018). In contrast, for an argument that HIPAA should provide a private right of action for security breaches, see Ryan L. Garner, Note, Evaluating Solutions to Cyber Attack Breaches of Health Data: How Enacting a Private Right of Action for Breach Victims Would Lower Costs, 14 Indiana Health L. Rev. 127 (2017).