There’s No Private Cause of Action in HIPAA According to District Court Ruling

36419114 - hand about to bang gavel on sounding block in the court room

Patients who think that there has been a violation of HIPAA Rules can send a complaint to the Department of Health and Human Services’ Office for Civil Rights. However, they should be aware that taking legal action for the HIPAA violation will not result in damages being awarded.

A number of patients have filed lawsuits for alleged HIPAA violations, but the cases have not been successful. The latest example has confirmed that there is no private cause of action within HIPAA law, and that lawsuits filed exclusively based on a HIPAA violation will not be successful.

Ms. Hope Lee-Thomas took legal action for an alleged violation of HIPAA that happened at Providence Hospital in Washington D.C. Ms. Lee-Thomas received treatment from LabCorp on June 15, 2017. According to Ms. Lee-Thomas, while at the hospital, a LabCorp employee instructed her to input her protected health information at a computer intake station.  Ms. Lee-Thomas argued that the information was viewable to another person using a different computer intake station. She took a photo of both computer intake stations to demonstrate this.

Ms. Lee-Thomas submitted a complaint to the hospital a complaint on July 3, 2017 and alleged there had been a HIPAA violation. She also filed a complaint with the HHS’ Office for Civil Rights, and later, with the District of Columbia Office of Human Rights (OHR) saying the hospital failed to implement appropriate measures to preserve the patient privacy.

On November 15, 2017, Ms. Lee-Thomas was told by HHS that her complaint will not be pursued. On November 28, 2017, OHR likewise dismissed her complaint. Both cases were dismissed because she did not state a claim. OHR advised Ms. Lee-Thomas that she could take this further through a private action through the D.C. Superior Court, which she did.

LabCorp took the lawsuit to the U.S. Court of Appeals for the District of Columbia Circuit, and submitted a motion to dismiss on the grounds of the failure to state a claim. There was no response from Ms. Lee-Thomas regarding the motion to dismiss.

On June 15, District Court Judge Rudolph Contreras issued a ruling confirming that HIPAA does permit action to be taken against HIPAA-covered entities for violations of HIPAA Rules, but only by the Department of Health and Human Services’ Office for Civil Rights and state attorneys general. In his ruling, Judge Contreras further affirmed that there is no private cause of action in HIPAA. Even if there was a private cause of action, it is improbable that this case would have succeeded since no harm had been caused as a result of the alleged HIPAA violation.

While it is not possible for patients to take legal action against HIPAA covered entities for breaches of HIPAA Rules, that doesn’t mean patients can’t take legal action when their privacy has been violated. There’s no private cause of action in HIPAA, however state laws cover the privacy of personal data.

All 50 states have breach notification laws and many require safeguards to be implemented by organizations to protect the privacy of state residents. If sensitive information has been exposed, or impermissibly disclosed, it may be possible to take action for violations of state laws.