June 27, 2018
Patients who believe HIPAA Laws have been violated can submit a complaint to the Division of Health and Human Services’ Office for Civil Rights, but they don’t have the right to take legal action, at least not for the HIPAA violation. There is no individual private reason of action under HIPAA rule.
A number of patients have filed court cases over alleged HIPAA violations, even though the cases have not been proved successful. A new case has confirmed once again that there is no private reason of action in HIPAA, and court cases filed exclusively on the basis of a HIPAA violation are extremely unlikely to succeed.
Ms. Hope Lee-Thomas filed the court case for an alleged HIPAA violation that happened at Providence Hospital in Washington D.C., where she got treatment from LabCorp. Ms. Lee-Thomas, who represented herself in the action, asserts that while at the hospital on June 15, 2017, a LabCorp worker ordered her to enter her protected health information at a computer intake station.
Ms. Lee-Thomas told the LabCorp worker that the information was in complete view of another individual at a different computer intake station and took a photograph of the two computer intake stations.
On July 3, 2017, Ms. Lee-Thomas submitted a grievance with the hospital claiming a violation of HIPAA and filed a grievance with the HHS’ Office for Civil Rights. Later, a complaint was filed with the District of Columbia Office of Human Rights (OHR) claiming the hospital had failed to make proper rooms for patients to safeguard their privacy.
On November 15, 2017, the HHS informed Ms. Lee-Thomas that her claim would not be followed and OHR similarly rejected her complaint on November 28, 2017, in both cases on the grounds that she failed to assert a claim. OHR advised Ms. Lee-Thomas had the right to bring a private action before the D.C. Superior Court and she went on to do so.
LabCorp removed the case to the U.S. Court of Appeals for the District of Columbia Circuit and filed a motion to reject, again for the failure to state a claim. Ms. Lee-Thomas failed to reply to the motion to reject.
In a June 15 decision, District Court Judge Rudolph Contreras confirmed that HIPAA does allow financial penalties to be issued when patients’ secrecy is violated in breach of HIPAA Laws, but civil and criminal fines are followed by the Division of Health and Human Services’ Office for Civil Rights and state attorneys general. In his judgment, Judge Contreras verified there is no private reason of action in HIPAA.
Even if there was a private reason of action, it would be improbable that this case would have proved successful as no harm seems to have been caused as a consequence of the suspected HIPAA violation.
While court cases are likely to be rejected when based on HIPAA violations only, that doesn’t mean legal action cannot be taken by patients whose secrecy has been violated. There is no private reason of action in HIPAA, but the secrecy of personal information is protected by state rules.
Rules have been passed in all 50 states that need notices to be issued to users when their private information has been disclosed, and many states also need businesses to apply ‘realistic safeguards’ to make sure private data of state inhabitants are safeguarded.
A HIPAA violation can be informed to OCR to probe, and action might be taken against the protected unit in question by OCR, but if the only basis of any legal action is a violation of HIPAA Laws, the case is not likely to be successful.
Sufferers of secrecy violations who desire to take legal action must look at possible violations of state rules instead of HIPAA violations.