The National Law Journal reported in its June 2007 issue that The Health Insurance Portability and Accountability Act (HIPAA) is raising new legal fears for health care providers concerning privacy suits. Labor and employment attorneys are concerned that courts have begun to let plaintiffs use HIPAA standards to prove liability in privacy suits, even though the law doesn’t currently provide a private right of action. And a new federal crackdown on HIPAA violators is also causing concerns for health care providers.

Tresa Baldas writes in her NLJ articles that labor and employment attorneys who represent health care providers are especially concerned about the prospect of private HIPAA litigation because the law does not currently provide a private right of action.  But plaintiffs appear to be getting around that.  They say that courts in recent years have begun letting plaintiffs use HIPAA standards to prove liability in privacy lawsuits alleging that their sensitive medical records were inadequately protected.

For example, in a recent Utah case where a doctor is facing a invasion of privacy lawsuit, an appeals court cited HIPAA standards in determining that the physician owed a duty of confidentiality to his patients, and allowed the case to proceed.  Sorensen v. Barbuto, 143 P.3d 295 (Utah Ct. App. 2006).  Also last year, an appellate court in North Carolina ruled that HIPAA could be used by a plaintiff to establish the "standard of care" in a negligence lawsuit.  Acosta v. Byrum, 638 S.E. 2d 246 (N.C. Ct. App. 2006). 

Plaintiffs’ attorneys everywhere will likely begin pointing to cases such as Sorensen and Acosta to argue that hospitals and physicians can be liable under state tort law for an "invasion of privacy" or for "negligently inflicting emotional distress" if they fail to comply with HIPAA.   This type of trend underscores why it is important that covered entity providers take steps to develop and implement HIPAA-compliant policies and procedures regarding the use and disclosure of patient information.  As more of these lawsuits come down the pipe, providers who have refused to take HIPAA head-on or have taken only cursory steps to comply with HIPAA’s requirements may begin to reassess the risks of not having a adequate HIPAA compliance program in place.

Helen’s HIPAA Hint:  Providers, health plans and clearinghouses that handle patients’ health information should implement a compliance program that assures its employees adhere to the standards required under HIPAA for privacy and security.  Demonstrating proof of an active and effective HIPAA compliance program can also be helpful in defending such privacy suits.