HIPPO, HIPPER, HIPPA, HIPAA……..whatever you call it
August 20, 2013 1 Comment
The Health Insurance Portability and Accountability Act of 1996 is known as HIPAA. Over the past decade I have heard it cussed, discussed, and mispronounced more times than I can count. The primary goals of HIPAA were to (1) make it easier for people to keep health insurance, (2) protect the confidentiality and security of healthcare information and (3) help the healthcare industry control administrative costs. There is even a section of HIPAA dealing with “administrative simplification.” Anyone that has spent any amount of time sorting through HIPAA would be hard pressed to honestly say that it simplifies anything.
Of those three goals of HIPAA, only one impacts my law practice daily. The security and confidentiality of healthcare information. Medical providers are required to maintain the privacy of their patient’s medical records and can not release the records without a valid authorization. Every time we request medical records of our clients from their healthcare providers, we must submit a HIPAA compliant authorization.
But what happens if a medical provider releases information protected by HIPAA without an authorization? HIPAA provides civil penalties for non-compliance ranging from $100 a day up to $50,000 a day with a calender year cap of $1,500,000. There are also potential criminal penalties with fines up to $250,000 and jail time up to ten years depending on the type of wrongful conduct and the criminal intent behind the violation.
Despite the potential for significant penalties, HIPAA has for the most part been a toothless tiger because the Courts have typically found that there is no private cause of action under HIPAA. Dean v. City of New Orleans, 2013 U.S. App. LEXIS 9106 (5th Cir. La. May 3, 2013)(citing Acara v. Banks, 470 F.3d 569, 572 (5th Cir. 2006). In simple terms, that means that Sally can’t sue her doctor for a HIPAA violation if her doctor discloses the fact that she had two abortions, has a nasty a cocaine habit and three sexually transmitted diseases. Given the lack of a private cause of action, only the US Department of Health and Human Service through the Office of Civil Rights can seek to directly enforce HIPAA. Enforcement actions by the Department of Health for individual violations are so rare that I have never heard of one.
However, based on the recently reported Indiana Superior Court case of Hinchy v. Walgreen Co. and Peterson, it appears persons injured by the release of their confidential medical information may yet have an avenue to vindicate privacy rights. Rather than using HIPPA as a cause of action, an injured party can allege that the HIPAA violation is evidence the medical provider committed negligence or violated a professional standard of care.
Sure, it sounds like semantics. However, if attempting to plead a HIPAA violation results in a case dismissed, but pleading negligence based on violations of HIPPA as a standard of care results in a $1.4 million dollar jury question (as it did in Hinchy), which one do you think plaintiffs will pursue? Given the comprehensive nature of HIPAA, expect to see preemption arguments against state court negligence actions involving HIPAA violations on the horizon.