Contributions

The ‘P’ is Not For Privacy: Preventing Private Enforcement of HIPAA

by Ryan Knox1

Patients expect their health infor­ma­tion to be kept pri­vate. In the dig­i­tal age where hacks of health infor­ma­tion are increas­ing­ly com­mon,2 com­pa­nies pos­sess­ing health infor­ma­tion must take steps to pro­tect that infor­ma­tion.3 Fed­er­al law, specif­i­cal­ly the Health Insur­ance Porta­bil­i­ty and Account­abil­i­ty Act (HIPAA),4 pro­vides some guid­ance for com­pa­nies on how to pro­tect elec­tron­i­cal­ly-held health infor­ma­tion.

HIPAA applies to pro­tect­ed health infor­ma­tion that is in the pos­ses­sion of a cov­ered enti­ty (a health­care provider, a health plan, or a health­care clear­ing­house) or its busi­ness asso­ciate.5 Cov­ered enti­ties and busi­ness asso­ciates in pos­ses­sion of health infor­ma­tion are required to take rea­son­able steps so pro­tect this infor­ma­tion and ensure it remains con­fi­den­tial.6 Under HIPAA, in the event of a data breach, com­pa­nies are required to noti­fy those whose data has been dis­closed.7

Only the Depart­ment of Health and Human Ser­vices (HHS) and the state attor­neys gen­er­al can enforce HIPAA vio­la­tions.8 Indi­vid­u­als have been left with lim­it­ed recourse fol­low­ing health infor­ma­tion data breach­es. With data breach­es becom­ing increas­ing­ly com­mon, indi­vid­u­als have attempt­ed to cir­cum­vent HIPAA’s lack of indi­vid­ual enforce­ment pow­er by bring­ing neg­li­gence per se claims under state law based on vio­la­tions of HIPAA.9 This is con­trary to the aims and frame­work of HIPAA. There­fore, this Con­tri­bu­tion argues that states should not allow neg­li­gence per se claims brought based on vio­la­tions of HIPAA.

* * * * *

Gen­er­al com­mon law neg­li­gence is fail­ing to do what a rea­son­able per­son would in a sim­i­lar sit­u­a­tion, breach­ing a duty of care.10 There are four ele­ments to neg­li­gence: “(1) a pre­ex­ist­ing duty or stan­dard of care, (2) a breach of that duty, and (3) dam­ages (4) caused by that breach of duty.”11 One type of neg­li­gence, and the focus of this Con­tri­bu­tion, is neg­li­gence per se.

Neg­li­gence per se is a “neg­li­gence claim with a statu­to­ry stan­dard of care sub­sti­tut­ed for the com­mon law stan­dard of care.”12 In a neg­li­gence per se case, the dis­pos­i­tive ques­tion is not “whether the defen­dant act­ed as an ordi­nar­i­ly pru­dent per­son would have act­ed under the cir­cum­stances,”13 but rather “whether the rel­e­vant statute or reg­u­la­tion has been vio­lat­ed.”14 If the defen­dant vio­lat­ed the statute, then “the defen­dant was neg­li­gent as a mat­ter of law.”15

Although, fed­er­al statutes may sup­port state tort claims,16 vio­la­tions of any giv­en statute do not nec­es­sar­i­ly amount to a claim of neg­li­gence per se. States can restrict the scope of neg­li­gence per se claims in their state. For exam­ple, in Ken­tucky, only state statutes are per­mit­ted to serve as a basis for neg­li­gence per se.17 In Flori­da, only statutes that pro­vide a pri­vate right of action can be the basis of a neg­li­gence per se claim.18 While indi­vid­ual state statutes may have par­tic­u­lar influ­ence on the per­mis­si­bil­i­ty of these state neg­li­gence claims, this Con­tri­bu­tion focus­es on the aspects of HIPAA that weigh against vio­la­tions of HIPAA serv­ing as the sole basis of neg­li­gence per se claims.

* * * * *

HIPAA lacks a pri­vate right of action.19 Only the Depart­ment of Health and Human Ser­vices and state attor­neys gen­er­al have the pow­er to enforce HIPAA vio­la­tions.20 In 2009, Con­gress increased pro­tec­tions for med­ical infor­ma­tion with the Health Infor­ma­tion Tech­nol­o­gy for Eco­nom­ic and Clin­i­cal Health Act (HITECH Act).21 Impor­tant­ly, Con­gress did not add a pri­vate right of action to HIPAA with their revi­sions in HITECH.

Because HIPAA specif­i­cal­ly del­e­gates enforce­ment to the Depart­ment of Health and Human Ser­vices and the State Attor­neys Gen­er­al, “there is a strong indi­ca­tion that Con­gress intend­ed to pre­clude pri­vate enforce­ment.”22 Con­gress has the pow­er to define injuries” so that plain­tiffs will have stand­ing when they would not oth­er­wise.23 Con­gress does this by giv­ing “a per­son a statu­to­ry right and purport[ing] to autho­rize that per­son to sue to vin­di­cate that right.”24

Courts can­not cre­ate a pri­vate right of action in a statute where one does not exist.25 Con­gress has cho­sen not to cre­ate such a right in HIPAA. If Con­gress intend­ed to have pri­vate par­ties enforce HIPAA “then it should amend the statute to con­form it to its intent” and add a pri­vate right of action.26 Courts have rec­og­nized this and, accord­ing­ly, have repeat­ed­ly dis­missed neg­li­gence per se claims based on alleged HIPAA vio­la­tions.27

In Shel­don v. Ket­ter­ing Health Net­work, a patient sued the hos­pi­tal for neg­li­gence per se and inva­sion of pri­va­cy.28 The court found that HIPAA did not pre­empt neg­li­gence claims based on alleged HIPAA vio­la­tions, but the vio­la­tion did not con­sti­tute neg­li­gence per se., The court decid­ed that while the vio­la­tion could be evi­dence of neg­li­gence, it could not pro­vide the basis for neg­li­gence per se, as allow­ing a neg­li­gence per se claim based on a vio­la­tion of HIPAA would be “tan­ta­mount to autho­riz­ing a pro­hib­it­ed pri­vate right of action for vio­la­tion of HIPAA itself.”29 Oth­er courts have fol­lowed Shel­don and declined to per­mit neg­li­gence per se claims based on alleged HIPAA vio­la­tions.30

Some courts have per­mit­ted neg­li­gence per se claims based on HIPAA vio­la­tions to move for­ward. How­ev­er, these cas­es are inap­po­site. The court in K.V. v. Women’s Health­care Net­work, LLC, con­sid­ered whether a neg­li­gence per se claim based on vio­la­tions of HIPAA and a state statute could be heard in fed­er­al court.31 The court remand­ed the case to state court as the mere men­tion of HIPAA did not con­fer fed­er­al ques­tion juris­dic­tion under Mer­rell Dow.32 It did not, how­ev­er, hold that these neg­li­gence per se claims were per­mis­si­ble, as that was not the ques­tion before the court. Sim­i­lar­ly, in I.S. v. Wash­ing­ton Uni­ver­si­ty, the ques­tion pre­sent­ed was whether the fed­er­al dis­trict court had sub­ject mat­ter juris­dic­tion under Mer­rell Dow and Grable & Sons Met­al Prod­ucts.33 Even though the court ana­lyzed HIPAA’s lack of pri­vate right of action, this was in rela­tion to con­fer­ral of juris­dic­tion, not the per­mis­si­bil­i­ty of the claim.  

Many courts have allowed alleged HIPAA vio­la­tions to inform the duty or stan­dard of care in gen­er­al neg­li­gence claims, par­tic­u­lar­ly in instances where there was and under­ly­ing state right describ­ing the duty.34 But where the neg­li­gence per se claim is based sole­ly on HIPAA vio­la­tions, there is noth­ing to inform and the claims can­not stand. If Con­gress want­ed to pro­vide indi­vid­u­als pri­vate rights under HIPAA, “then it should amend the statute to con­form it to its intent.”35 Courts can­not cre­ate a pri­vate right of action or revise a statute based on their pol­i­cy pref­er­ences.36 Per­mit­ting state law neg­li­gence per se claims based sole­ly on HIPAA vio­la­tions would effec­tive­ly do just that.

* * * * *

Indi­vid­u­als bring neg­li­gence per se claims based on HIPAA vio­la­tions in order to rem­e­dy their indi­vid­ual harms. HIPAA enforce­ment cas­es do not rem­e­dy indi­vid­ual harms result­ing from breach­es of health infor­ma­tion; any finan­cial penal­ties to the cov­ered enti­ty or busi­ness asso­ciate that dis­closed pri­vate health infor­ma­tion go to the gov­ern­ment, not the indi­vid­u­als.37 The only indi­vid­ual recourse under HIPAA for vic­tims of health infor­ma­tion data breach­es is fil­ing a com­plaint with the HHS Office of Civ­il Rights.38 How­ev­er, this does not pro­vide a rem­e­dy to the indi­vid­ual pri­va­cy harm.39

While an indi­vid­ual may want a rem­e­dy under HIPAA, HIPAA did not in fact pro­vide indi­vid­ual pri­va­cy rights. HIPAA allows for broad­er state pri­va­cy rights but only pro­vides lim­it­ed indi­vid­ual rights, such as the right to request records and to be informed of pri­va­cy breach­es.40

Nei­ther HIPAA nor the reg­u­la­tions devel­oped by HHS under HIPAA “confer[ed] pri­va­cy rights upon a spe­cif­ic class of indi­vid­u­als.”41 Instead, the statute reg­u­lates “per­sons that have access to indi­vid­u­al­ly iden­ti­fi­able med­ical infor­ma­tion and who con­duct cer­tain elec­tron­ic health care trans­ac­tions.”42 This is because HIPAA was enact­ed for the broad­er pur­pose of reg­u­lat­ing cov­ered enti­ties to pre­vent the “improp­er dis­clo­sures of med­ical infor­ma­tion,”43 not to redress an individual’s alleged harm. It would be inco­her­ent for indi­vid­u­als to be able to sue for these non-exis­tent indi­vid­ual rights under HIPAA. As such, indi­vid­u­als should not be allowed to bring neg­li­gence per se claims based sole­ly on HIPAA vio­la­tions.

Plain­tiffs may argue that this leaves them with­out recourse for vio­la­tions of their health infor­ma­tion pri­va­cy. This is sim­ply not the case. Remov­ing neg­li­gence per se still leaves state law neg­li­gence claims where HIPAA informs the stan­dard of care. Plain­tiffs would still have to prove a com­mon law duty and breach of that duty, which would be unnec­es­sary in a neg­li­gence per se claim. Indi­vid­u­als also can bring oth­er state law tort claims for inva­sion of pri­va­cy or breach of fidu­cia­ry duty.44 These com­mon law torts do not infringe upon the intent and frame­work of HIPAA yet still pro­vide indi­vid­u­als the poten­tial for rem­e­dy­ing their harm.

* * * * *

Con­gress did not intend for indi­vid­ual claims to be brought based on HIPAA. HIPAA, while known as a health­care pri­va­cy law, does not itself pro­vide indi­vid­ual pri­va­cy rights or reme­dies for vio­la­tions of such rights. State law neg­li­gence per se claims are bla­tant attempts to bring claims under HIPAA which could not be brought direct­ly. As such, courts should not per­mit neg­li­gence per se claims based sole­ly on alleged vio­la­tions of HIPAA. Instead, indi­vid­u­als should use oth­er state law torts with HIPAA as poten­tial evi­dence of the stan­dard of care. This will be truer to HIPAA’s intent and frame­work.

Notes:

1. Ryan Knox is a 3L at New York Uni­ver­si­ty School of Law and Exec­u­tive Edi­tor of N.Y.U. Pro­ceed­ings. This piece is a com­men­tary on the 2018 South­ern Illi­nois Uni­ver­si­ty School of Law Nation­al Health Law Moot Court Com­pe­ti­tion held in Car­bon­dale, Illi­nois. The views expressed in this arti­cle do not nec­es­sar­i­ly rep­re­sent the views of the author on this point of law. Rather, this arti­cle is a dis­til­la­tion of part of one side of an argu­ment addressed at the South­ern Illi­nois Uni­ver­si­ty School of Law Nation­al Health Law Moot Court Com­pe­ti­tion. I would like to thank my com­pe­ti­tion part­ner, Ian Swen­son, and the many class­mates who helped us pre­pare for the com­pe­ti­tion for their thought­ful com­ments that assist­ed in the devel­op­ment of this Con­tri­bu­tion.

2. Austin Ruther­ford, Byrne: Clos­ing the Gap between HIPAA and Patient Pri­va­cy, 53 San Diego L. Rev. 201, 212 (2016) (cit­ing Health Infor­ma­tion Pri­va­cy Com­plaints Received by Cal­en­dar Year, U.S. Dep’t Health & Human Servs., http://www.hhs.gov/ocr/privacy/hipaa/enforcement/data/complaintsyear.html [https://perma.cc/48AJ-WP4B] (last vis­it­ed Feb. 8, 2016)).

3. While com­pa­nies are increas­ing­ly tak­ing steps to pro­tect health infor­ma­tion, not all com­pa­nies are required to do so under fed­er­al law. HIPAA only applies to cov­ered enti­ties and busi­ness asso­ciates, not every sin­gle com­pa­ny in pos­ses­sion of per­son­al health infor­ma­tion. As a result, not every sin­gle breach of health infor­ma­tion can be brought under HIPAA. The 2018 Nation­al Health Law Moot Court Com­pe­ti­tion also con­sid­ered whether the company—the pre­scrip­tion assis­tance pro­gram with­in a phar­ma­ceu­ti­cal company—was a cov­ered enti­ty or busi­ness asso­ciate under HIPAA, and, based on that, whether the com­pa­ny was gov­erned by HIPAA and could vio­late it for the pur­pos­es of neg­li­gence per se. This Con­tri­bu­tion does not address this addi­tion­al com­plex­i­ty, and will focus only on whether neg­li­gence per se claims can be based on HIPAA vio­la­tions.

4. Health Insur­ance Porta­bil­i­ty and Account­abil­i­ty Act of 1996, Pub. L. No. 104- 191, 110 Stat. 1936 (cod­i­fied in scat­tered sec­tions of 42 U.S.C.).

5. 45 C.F.R. § 160.103 (2014).

6. See 45 C.F.R. § 164.306(a)(1) (2015) (Pri­va­cy Rule); See 45 C.F.R. § 164.312 (2015) (Secu­ri­ty Rule).

7. 45 C.F.R. § 164.404(b) (2015)

8. 42 U.S.C. § 1320d-5.

9. The Nation­al Health Law Moot Court Com­pe­ti­tion prob­lem also includ­ed gen­er­al neg­li­gence claims under state law. This Con­tri­bu­tion will not con­sid­er whether HIPAA can be used as evi­dence for stan­dard of care for state law claims of gen­er­al neg­li­gence.

10. Neg­li­gence, Neg­li­gence, Black’s Law Dic­tio­nary (10th ed. 2014).

11. Id.

12. Real Estate Mar­ket­ing, Inc. v. Franz, 885 S.W.2d 921, 927 (Ky. 1994) over­ruled on oth­er grounds by Gid­dings & Lewis, Inc. v. Indus. Risk Insur­ers, 348 S.W.3d 729 (Ky. 2011) (cit­ing Ather­ton Con­do. Apart­ment-Own­ers Ass’n Bd. of Dirs. v. Blume Dev. Co., 799 P.2d 250, 262 n.13 (Wash. 1990)).

13. Wend­land v. Ridge­field Con­str. Servs., Inc., 439 A.2d 954, 956 (Conn. 1981) (cit­ing William L. Pross­er, Law of Torts § 36).

14. Id.

15. Id.

16. See Grable & Sons Met­al Prods., Inc. v. Darue Eng’g & Mfg., 545 U.S. 308, 318–19 (2005) (cit­ing Mer­rell Dow Pharms., Inc. v. Thomp­son, 478 U.S. 804 (1986)). See also Restate­ment (Third) of Torts: Phys. & Emot. Harm § 14 cmt. A (Am. Law Inst. 2010) (explain­ing that the sec­tion on neg­li­gence per se “most fre­quent­ly applies to statutes adopt­ed by state leg­is­la­tures, but equal­ly applies to … fed­er­al statutes as well as reg­u­la­tions pro­mul­gat­ed by fed­er­al agen­cies”)

17. See Young v. Car­ran, 289 S.W.3d 586, 589 (Ky. App. 2008) (quot­ing T & M Jew­el­ry, Inc. v. Hicks ex rel. Hicks, 189 S.W.3d 526, 530 (Ky. 2006)).

18. See In re Cmty. Health Sys., No. 15-CV-222-KOB, 2016 U.S. Dist. LEXIS 123030, at *90 (N.D. Ala. Sept. 12, 2016).

19. See, e.g., Dodd v. Jones, 623 F.3d 563, 569 (8th Cir. 2010) (find­ing that a plaintiff’s claim failed because “HIPAA does not pro­vide a pri­vate right of action”). See also Byrne v. Avery Ctr. for Obstet­rics & Gyne­col­o­gy, P.C., 102 A.3d 32, 45 (Conn. 2014) (“‘It is by now well set­tled that the ‘statu­to­ry struc­ture of HIPAA pre­cludes impli­ca­tion of a pri­vate right of action.’”) (quot­ing Uni­ver­si­ty of Col­orado Hos­pi­tal Author­i­ty v. Den­ver Pub­lish­ing Co., 340 F.Supp.2d 1142, 1145 (D. Colo. 2004)); Acara v. Banks, 470 F.3d 569, 571 (5th Cir.2006) (“Every dis­trict court that has con­sid­ered this issue is in agree­ment that the statute does not sup­port a pri­vate right of action.”).

20. See 42 U.S.C. § 1320d-5.

21. Pub. L. No. 111–5, Div. A, Title XIII, Div. B, Title IV, 123 Stat. 226, 467 (2009).

22. Acara, 470 F.3d at 571 (cit­ing Alexan­der v. San­doval, 532 U.S. 275, 286–87 (2001)).

23. Mass­a­chu­setts v. E.P.A., 549 U.S. 497, 516 (2007).

24. Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1549 (2016).  

25. See Alexan­der v. San­doval, 532 U.S. 275, 286–87 (2001).

26. Lamie v. Unit­ed States Trustee, 540 U.S. 526, 542 (2004).

27. See, e.g., Young, 289 S.W.3d at 588 (“HIPAA does not cre­ate a state-based pri­vate cause of action for vio­la­tions of its pro­vi­sions.”); Wein­berg v. Advanced Data Pro­cess­ing, Inc., 147 F. Supp. 3d 1359, 1365–66 (S.D. Fla. 2015) (“Flori­da courts have refused to rec­og­nize a pri­vate right of action for neg­li­gence per se based on an alleged vio­la­tion of a fed­er­al statute that does not pro­vide for a pri­vate right of action.”).

28. 40 N.E.3d 661 (Ohio Ct. App. 2015).

29. Shel­don v. Ket­ter­ing Health Net­work, 40 N.E.3d 661, 672 (Ohio Ct. App. 2015).

30. See, e.g., Skin­ner v. Tel-Drug, Inc., No. CV-1600236-TUC-JGZ (BGM), 2017 U.S. Dist. LEXIS 12427, at *8–10 (D. Ariz. Jan. 27, 2017).

31. K.V. & S.V. v. Women’s Health­care Net­work, LLC, No. 07–0228-CV-W-DW, 2007 WL 1655734, at *1 (W.D. Mo. June 6, 2007).

32. Id. (cit­ing Mer­rell Dow v. Thomp­son, 478 U.S. 804, 813 (1986)).

33. See I.S. v. Wash­ing­ton Univ., No. 4:11CV235SNLJ, 2011 WL 2433585, at *2 (E.D. Mo. June 14, 2011) (cit­ing Mer­rell Dow v. Thomp­son, 478 U.S. 804 (1986); Grable & Sons Met­al Prods. V. Darue Eng’g & Mfg., 545 U.S. 308 (2005)).

34. Bon­ney v. Stephens Memo­r­i­al Hosp., 17 A.3d 123, 128 (Me. 2011); Byrne v. Avery Ctr. for Obstet­rics & Gyne­col­o­gy, P.C., 102 A.3d 32, 35–36, 49 (Conn. 2014).

35. Lamie v. Unit­ed States Trustee, 540 U.S. 526, 542 (2004).

36. See Unit­ed States v. Locke, 471 U.S. 84, 95 (1985) (“But the fact that Con­gress might have act­ed with greater clar­i­ty or fore­sight does not give courts a carte blanche to redraft statutes in an effort to achieve that which Con­gress is per­ceived to have failed to do.”).

37. See Ruther­ford, supra note 2, at 201–211 (dis­cussing Con­gress’ fail­ure after HITECH to imple­ment a method to pro­vide indi­vid­u­als with a por­tion of civ­il fines).

38. See Ruther­ford, supra note 2, at 210; 45 C.F.R § 160.306 (2014).

39. See Ruther­ford, supra note 2, at 210–211

40. 45 C.F.R. § 160.203(b) (HIPAA pre­emp­tion pro­vi­sion); 45 C.F.R. §§ 164.400–414 (request records); 45 CFR § 164.524 (noti­fi­ca­tion of breach­es).

41. Acara v. Banks, 470 F.3d 569, 571 (5th Cir.2006).

42. Id.

43. Id. (cit­ing 42 U.S.C. § 1230d-5, d-6).

44. For a dis­cus­sion of enforc­ing health pri­va­cy rights with state tort law and their rela­tion to HIPAA and pre­emp­tion issues, see Mor­gan Leigh Ten­dam, Note, The HIPAA-Pota-Mess: How HIPAA’s Weak Enforce­ment Stan­dards Have Led States To Cre­ate Con­fus­ing Med­ical Pri­va­cy, 79 Ohio State L. J. 411 (2018). For a dis­cus­sion of poten­tial fed­er­al pri­vate rights of action to bring in the event of improp­er dis­clo­sure of health infor­ma­tion, includ­ing data breach­es, see Joshua D.W. Collins, Note, Tooth­less HIPAA: Search­ing for a Pri­vate Right of Action to Rem­e­dy Pri­va­cy Rule Vio­la­tions, 60 Van­der­bilt L. Rev. 199 (2007). For a dis­cus­sion of how courts should use breach of con­fi­dence and oth­er pri­va­cy torts to pro­tect the rights of indi­vid­u­als harmed in data breach­es, see Ali­cia Solow-Nie­der­man, Beyond the Pri­va­cy Torts: Rein­vig­o­rat­ing a Com­mon Law Approach for Data Breach­es, Yale L. J. F. 614 (2018). In con­trast, for an argu­ment that HIPAA should pro­vide a pri­vate right of action for secu­ri­ty breach­es, see Ryan L. Gar­ner, Note, Eval­u­at­ing Solu­tions to Cyber Attack Breach­es of Health Data: How Enact­ing a Pri­vate Right of Action for Breach Vic­tims Would Low­er Costs, 14 Indi­ana Health L. Rev. 127 (2017).