By Courtney P. Cowan, JD, ByrdAdatto

Anyone working in the health care industry is intimately familiar with the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA. Generally, the purpose of HIPAA is to establish minimum federal standards for protecting the privacy of protected health information (PHI). While it is widely understood that health plans, health care clearinghouses, and health care providers are potentially subject to HIPAA regulation at the federal level for maintaining patient privacy, what may be less well known is how the patient privacy standard of care established under HIPAA applies to a private right of action.

Only the U.S. Department of Health and Human Services Office for Civil Rights (HHS) and the state attorneys general can enforce HIPAA violations. As a result, HIPAA lacks a private right of action. This means that an individual whose PHI has been used or disclosed by a health care provider in violation of HIPAA may not bring a civil claim against the provider under HIPAA. HIPAA also preempts state privacy laws that are contrary to HIPAA, the exception being when a state law is "more stringent" than HIPAA regarding privacy protection.

With data breaches becoming increasingly common, individuals have attempted to circumvent HIPAA's lack of individual enforcement power by bringing negligence claims under state law based on violations of HIPAA. Using HIPAA as the patient privacy standard of care in negligence cases is beginning to look more like the equivalent of a private right of action under HIPAA, which HIPAA does not allow. This essentially means that a violation of the HIPAA rules may be used to establish that a health care provider has breached the duty of care owed to a patient under state law negligence claims relating to the improper disclosure of patient PHI. As a result, health care providers should understand that a HIPAA violation may result in a variety of state law claims.

Perhaps even more alarming than the attempted private right of action as a HIPAA workaround is the recent trend of state courts both finding in favor of the plaintiffs bringing the private rights of action, as well as finding that HIPAA violation claims can be brought at the state level. In California, for example, a medical center found itself at the center of a major data attack, with 4.5 million patients affected by the breach. After suspecting suspicious activity on its network, it contacted the FBI for help. Although it took close to nine months to notify the patients of the breach, HHS ultimately found that the medical center followed appropriate protocol and was satisfied with the health system's post-breach efforts to improve security. However, despite the findings by HHS, a California state court found that the medical center failed to notify its patients of a data breach in a timely manner and awarded a settlement of $7.5 million in favor of patients who had filed the class-action suit.

The Arizona Court of Appeals also added itself to a number of courts across several states holding that HIPAA may define the standard of care for state law claims. The claim before the Arizona court alleged a privacy violation by a Costco pharmacist when the pharmacist verbally joked about a man's erectile dysfunction medication to the man's ex-wife. The long and short of it is, the Arizona Court of Appeals ruled that negligence claims using HIPAA as the patient privacy standard of care could be brought against Costco in Arizona courts.

While data breaches occur in virtually every state, health care providers in Texas have the added burden that the state has led the country in total hacking breaches reported to HIPAA for four of the past five years. In light of other rulings similar to those in California and Arizona, it is no surprise that Texas hospitals have recently been devoting more resources to cybersecurity. The added protection seems to be working—data shows that despite Texas often being in the top two states in terms of total hacking attempts over the past five years, it is further down the list when it comes to individual records actually breached.

Since it is becoming increasingly common for state courts to find HIPAA as the patient privacy standard of care for private rights of action, health care providers should re-evaluate, establish and enforce HIPAA compliance and training programs within their organizations. Otherwise, not safeguarding against HIPAA violations could result in substantial penalties against an organization.

AmSpa members receive a complimentary 20-minute Introductory Compliance Assessment with a ByrdAdatto attorney. Click here to learn how to join AmSpa today!

As the daughter of a periodontist, Courtney P. Cowan has been fascinated by the health care field since childhood. She often accompanied her father to his office, where she developed an appreciation for physicians and their respective practices. Having absolutely none of the dexterity that is required to be a surgeon, however, Cowan instead decided to pursue a degree in business while attending Baylor University. It wasn't until she was required to take a business law course that she discovered her passion for the law. After graduating from Southern Methodist University Dedman School of Law, Cowan serendipitously connected with ByrdAdatto and now assists clients by combining her business background with her enthusiasm for health care and the law.