The Health Insurance Portability and Accountability Act of 1996
(HIPAA) does not provide for a private right of action allowing
affected individuals to sue to enforce its provisions. However, an
emergence of case law in recent years, as discussed
here and here, suggests that HIPAA may define the duty
of care for providers. Decisions from a number of state courts have
created a path for patients to use alleged HIPAA violations as the
basis for both common-law tort claims and claims under state
privacy laws by recognizing HIPAA as the standard of care for
patient privacy. A recent decision from a New Jersey appeals court
further spotlights the ability of a patient to sue a provider based
on a HIPAA violation.
The case, John Smith v. Arvind R. Datla, et al., in the
Superior Court of New Jersey Appellate Division (Docket No.
A-1339-16T3), involves a patient who alleged that his doctor had
unlawfully disclosed his HIV status to an unidentified third party
who was in the room during a bedside consultation. The plaintiff
asserted several claims against the doctor and the medical
practice, including invasion of privacy based on the inappropriate
disclosure of confidential medical information without his consent,
in violation of HIPAA.
The defendants moved to dismiss the claim on the grounds that HIPAA
does not provide a private right of action. Despite finding that
there was no private right of action under HIPAA, the judge ruled
that the plaintiff had adequately pleaded and could proceed with an
amended complaint under a common-law invasion of privacy
claim.
When implementing HIPAA compliance programs, providers are
generally focused on avoiding government enforcement actions and
large penalties which do not usually stem from small breaches. This
appellate decision serves as a reminder that a small and
inadvertent HIPAA violation can have significant consequences for a
provider when reputational or financial harm, or even just
embarrassment, results.
For more articles and regular updates on legislative changes, regulatory developments and other news of interest to businesses, professionals and investors in the healthcare industry, please subscribe to Day Pitney's mailing lists.
Click here for more Healthcare Blogs from Day Pitney
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.