How much a HIPAA violation lawsuit is worth depends on the nature of the violation, the harm caused, and the availability of a suitable state law with a private right of action. This article looks at three cases in which plaintiffs successfully sought damages for a violation of HIPAA and discusses how the settlements in these cases could shape future judgements.
HIPAA does not provide for a private right of action. This means that if a healthcare provider violates HIPAA by impermissibly disclosing Protected Health Information (PHI), and the patient who is the subject of the PHI suffers harm as a result (i.e., is the victim of medical identity theft), the patient cannot file a HIPAA violation lawsuit for the violation or the consequences of the violation.
However, some courts have ruled HIPAA does not preempt the provision of a private right of action when a private right of action exists “as a matter of state common or statutory law”. This means that, if a healthcare provider impermissibly discloses PHI, and a state confidentiality law exists that provides a private right of action, patients can file a HIPAA violation lawsuit – albeit under state law.
How Much is a HIPAA Violation Lawsuit Worth?
From the case law that is publicly available, it is not possible to determine how much each state action in lieu of a HIPAA violation lawsuit is worth. This is because, like all negligence tort cases, the value of an award or settlement is dependent on the nature of the violation and the consequences of the violation. It is also the case that some states laws allow for more damages than others.
What it is possible to determine from publicly available case law is that courts are increasingly using HIPAA to establish the standard of care required in negligence tort cases. Therefore, if a healthcare provider fails to comply with HIPAA, and a negligence tort case is brought against the healthcare provider for an impermissible disclosure of PHI, the court is more likely to find in favor of the plaintiff.
Turk v. Oiler (undisclosed)
This case is more complicated than an impermissible disclosure of PHI because it followed on from an earlier criminal case in which the plaintiff – James Turk – had been unjustifiably charged with carrying a concealed weapon while under a disability. During the criminal case, the Cleveland Clinic had disclosed medical records which included drug, alcohol, and mental health counselling records.
Following his acquittal, Turk filed a HIPAA violation lawsuit against the Cleveland Clinic. The clinic offered the defense that the disclosure was permitted by HIPAA, but the Ohio District Court found in favor of the plaintiff – stating the state’s physician-patient privilege laws preempted HIPAA. The HIPAA violation lawsuit was settled between the parties for an undisclosed amount in May 2010.
Byrne v. Avery ($853,000 plus interest)
Initially filed in 2007 after the Avery Center for Obstetrics and Gynecology, Westport, CT, disclosed the medical records of Emily Byrne to a former boyfriend, this case was originally dismissed in 2011. The District Court ruled HIPAA does not provide for a private right of action and “preempted any Connecticut common-law action dealing with the confidentiality and privacy of medical information”.
Emily Byrne appealed to Connecticut’s Supreme Court, who reversed the dismissal stating: “if Connecticut’s common law recognizes claims arising from a healthcare provider’s alleged breach of its duty to confidentiality […], HIPAA and its implementing regulations do not preempt such claims”. The Court added: “HIPAA may be utilized to inform the standard of care applicable to such claims”.
The case was subsequently reheard in January 2018 in front of a jury, who found in favor of the plaintiff and awarded her $853,000 in damages. The Avery Center was given leave to appeal subject to post judgement interest of 12%; but, when the appeal weas heard in May 2022, Judges Cradle, Clark, and Harper upheld the trial court verdict in the longest lasting HIPAA violation lawsuit to date.
Hinchy vs Walgreen Co ($1.8 million)
In this HIPAA violation lawsuit, the plaintiff – Abigail Hinchy – alleged her privacy rights had been violated by a pharmacist at Walgreens. Hinchy alleged the pharmacist impermissibly viewed her prescription history – after a relationship between the plaintiff and the pharmacist’s husband had been discovered – to see if Hinchy had been prescribed treatment for a sexually transmitted disease.
After an internal investigation confirmed the HIPAA violation, Hinchy filed suit against the pharmacist in 2011- alleging negligence, professional malpractice, invasion of privacy, and the public disclosure of public facts – and against Walgreens by way of respondent superior. In July 2013, an Indiana jury found in favor of the plaintiff and awarded her $1.8 million in damages against the defendants.
Walgreens – who were assigned 80% liability – twice appealed the verdict. In November 2014, the Court of Appeals upheld the jury verdict; and, in January 2015, the Indiana Appellate Court ruled against Walgreens’ appeal for the case to be reheard. Following the two knock-backs, Walgreens declined the opportunity to defend the HIPAA violation lawsuit in the Indiana Supreme Court.
Why Might These Cases Shape Future Judgements
There are three ways in which these cases might shape future judgements. The first is that healthcare providers can no longer depend on the lack of a private right of action to defend against HIPAA violation lawsuits. Most states now have consumer protection, privacy and confidentiality, or data security laws that provide a private right of action for HIPAA violations.
The second way in which these cases might shape future judgements is that – historically – most lawsuits for HIPAA violations have been class actions involving thousands of plaintiffs. These cases brought by individuals demonstrate that, even when one individual’s PHI is impermissibly disclosed, healthcare organizations can be liable for seven-figure settlements – plus costs.
Finally, the Byrne v. Avery and Hinchy v. Walgreens settlements set precedents for future settlements. In the majority of negligence tort cases, plaintiffs settle the compliant without going to trial and the details of settlements are never a matter of public record (as with Turk v. Oiler). However, future HIPAA violation lawsuits have these case histories to guide them.
Consequently, it is important that healthcare organizations review their compliance with HIPAA, ensure members of the workforce receive adequate HIPAA training, and monitor their access to PHI to mitigate the likelihood of an impermissible disclosure of PHI that results in a HIPAA violation lawsuit. Healthcare organizations that require help to review their compliance with HIPAA should download our HIPAA compliance checklist or seek professional compliance advice.