If the recent emphasis by the Department of Health and Human Services on the enforcement of HIPAA was not sufficient motivation for providers and business associates to comply, a ruling this week by the Connecticut Supreme Court provides additional incentives. When Congress passed the Health Insurance Portability and Accountability Act ("HIPAA") it scrupulously avoided creating a private cause of action, opting instead to rely on government enforcement and fines as the means of compelling compliance with the law. As with many government mandated practices, there is a fear that the mandated practices become the "standard of care". Not following the "standard of care" is negligence and can create a cause of action against the provider or business associate.
The Connecticut Supreme Court ruled that a provider's failure to comply with HIPAA and its various regulations violated the community standard of care, thus permitting a plaintiff to make a claim under general negligence theories under state law. In the Connecticut case, the defendant- health care provider responded to a subpoena by immediately supplying the documents containing a patient's protected health information without having given the patient an opportunity to quash the subpoena. In essence, the private right of action not provided for in HIPAA has now entered in through the back door, at least in Connecticut and several other states. Some commentators believe that more state courts will not want to see their general negligence laws frittered away and preempted by HIPAA, and therefore will be tempted to apply the same rationale.
This is not the first time that a reference to HIPAA has resulted in a private cause of action. In July of 2013, Walgreen Company was hit with a $1.4 million verdict in an Indiana Court when one of its pharmacists admitted to providing to a husband confidential medical records that showed sensitive information regarding his wife's purported STD. Also, allegedly unlawful disclosures of medical records have resulted in private causes of action in Missouri, West Virginia and North Carolina.
Providers and business associates alike should take note of this trend and double their efforts to comply with HIPAA. The best defense is having a robust and effective HIPAA compliance program so that if an error does occur, the charge of negligence can be effectively defended.