Generally speaking, HIPAA does not afford an individual the right to sue for a HIPAA violation. HIPAA does not create a private cause of action for an individual. This means that the government can file an adversary claim against a covered entity (CE) for non-compliance and seek penalties, but an individual cannot use HIPAA as a basis under the federal regulations to sue. However, an individual may seek damages from a CE under state regulations as a “civil action” for negligence (also known as a tort), and state courts may look to HIPPA as the standard by which a negligence cause of action may prevail.

For example, when a state court looks to HIPAA, it will allow the breach of privacy under the HIPAA regulation to be used to show the underlying basis for a breach of duty in a negligence claim for public disclosure of private facts. And duty is one of the four elements required to be shown by the plaintiff, along with the three other elements which are:

  • Breach of duty,
  • Causation, and
  • Damages.

But the analysis does not stop there. Duty of care is pivotal in these types of cases because in order to show there was a duty owed, the plaintiff must show that the incident was foreseeable. Foreseeability is a tricky area and not always completely clear. In addition to public disclosure of private facts, Massachusetts has three other invasion of privacy torts which include:

  1. Intrusion on physical seclusion,
  2. False light, and
  3. Impersonation of the likeness of another for benefit.

A recent case was decided in Connecticut where a HIPAA violation was allowed to show a breach of the duty of care. This was a case where a physician office released records without the proper authorization or order, and the court found that, because it was shown that HIPAA was violated, the case could go forward in state court under a privacy claim. See Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 327 Conn. 540. The facts of the case relate to a physician’s release of medical records in response to a subpoena without first obtaining the patient’s consent, identify footnotes obtaining a protective order, or notifying the patient in accordance with the regulatory procedures under HIPAA.

For more information on HIPAA litigation, please contact Linda at 718-272-8001.