The District court has ruled that patients have no right to take legal action for HIPAA violation. That is to say that there is no individual private cause of action under HIPAA law. Patients who believe HIPAA Rules have been violated and their personal data compromised can submit a compliant to the Department of Health and Human Services’ Office for Civil Rights for the case to be investigated, but they do not have the right to take legal action against an entity for the breaking of HIPAA Rules.
Since HIPAA legislation was introduced, several patients have filed lawsuits over alleged violations of the Rules. However, the cases have not been successful. A recent case brought by Ms. Hope Lee-Thomas against a former LabCorp employee has confirmed once again that there is no private cause of action in HIPAA, and lawsuits filed solely on the basis of a HIPAA violation are extremely unlikely to succeed in the courts.
Ms. Hope Lee-Thomas filed the lawsuit for an alleged HIPAA violation that occurred at Providence Hospital in Washington D.C. in June 2017. While she was at the facility, she received treatment from LabCorp. Ms. Lee-Thomas, who represented herself in the action, claims that a LabCorp employee instructed her to enter her protected health information at a computer intake station.
Ms. Lee-Thomas told the LabCorp employee that the information was in full view of another person at a different computer intake station, and therefore her information would not remain private. As evidence for her concern, she took a photograph of the two computer intake stations to document their proximity.
On July 3, 2017, Ms. Lee-Thomas submitted a complaint with the hospital alleging a violation of HIPAA and filed a complaint with the HHS’ Office for Civil Rights. Later, a complaint was filed with the District of Columbia Office of Human Rights (OHR) claiming the hospital had failed to make appropriate accommodations for patients to preserve their privacy while inputting their data into the computer system.
On November 15, 2017, the HHS informed Ms. Lee-Thomas that her claim would not be pursued and OHR similarly dismissed her complaint on November 28, 2017, in both cases on the grounds that she failed to state a claim. OHR suggested Ms. Lee-Thomas had the right to bring a private action before the D.C. Superior Court. Ms. Lee-Thomas decided to represent herself in the claim, and proceeded to do as OHR suggested.
LabCorp removed the case to the U.S. Court of Appeals for the District of Columbia Circuit, and filed a motion to dismiss, again for the failure to state a claim. Ms. Lee-Thomas failed to respond to the motion to dismiss.
The case was heard by District Court Judge Rudolph Contreras, who ruled on June 15 that HIPAA does permit financial penalties to be issued when patients’ privacy is violated in breach of HIPAA Rules, but civil and criminal penalties are pursued by the Department of Health and Human Services’ Office for Civil Rights and state attorneys general. In his ruling, Judge Contreras confirmed there is no private cause of action in HIPAA.
Even if there was a private cause of action, it would be unlikely that this case would have succeeded as no harm appears to have been caused to Ms. Lee-Thomas as a result of the alleged HIPAA violation.
While lawsuits are likely to be dismissed when based on HIPAA violations alone, that does not mean legal action cannot be taken by patients whose privacy has been violated. There is no private cause of action in HIPAA, but the privacy of personal information is covered by separate state laws.
Laws have been passed in all 50 states that require notifications to be issued to consumers when their personal information has been exposed. Furthermore, several states also require companies to implement ‘reasonable safeguards’ to ensure personal data of state residents are protected.
A patient may report a HIPAA violation to OCR for further investigation. If OCR deems the violation sufficient, action may be taken against the covered entity in question. However, if the sole basis of any legal action is a violation of HIPAA Rules, and no damage has been done to the patient, the case is unlikely to be successful. Therefore, victims of privacy violations who wish to take legal action should look at potential violations of state laws rather than HIPAA violations.