A federal trial courtroom has dismissed state-law claims introduced by a bunch well being plan participant after the plan’s insurer disclosed the participant’s protected well being data (PHI) in violation of the HIPAA privateness rule. Based on the criticism, the insurer obtained a subpoena directing it to reveal specified medical data to an assistant decide for personal evaluation earlier than the data would doubtlessly be disclosed to an lawyer for the participant’s ex-spouse. Nevertheless, the insurer allegedly violated HIPAA by disclosing data past these described within the subpoena. Furthermore, the disclosure was made on to the ex-spouse’s lawyer moderately than to the assistant decide. The participant introduced a number of privacy-related claims in opposition to the insurer, together with one for negligence per se based mostly on the insurer’s obvious violation of HIPAA’s privateness rule.
The courtroom famous that negligence per se is a authorized doctrine that imposes duties based mostly on a statutory customary of care moderately than the “moderately prudent individual take a look at” utilized in pure negligence claims. Below the negligence per se doctrine, actors violating a related statute could also be responsible for damages if the violation triggered the kind of hurt to a person that the statute was supposed to keep away from. The courtroom defined that, below relevant state legislation, a negligence per se declare can’t be premised on a statute that, like HIPAA, doesn’t comprise a personal proper of motion and as an alternative offers a complete regulatory scheme with restricted personal cures. The courtroom dismissed the participant’s declare, concluding that permitting a negligence per se declare based mostly on a HIPAA violation would run afoul of legislative intent.
EBIA Remark: The HIPAA privateness rule permits a coated entity to reveal PHI in response to a subpoena. Nevertheless, a coated entity doesn’t have full freedom to reveal PHI. Amongst different issues, affordable efforts have to be made to restrict disclosure of PHI to the minimal essential to adjust to the subpoena—a typical that was not met on this case. Nonetheless, even when HIPAA violations happen, the absence of a HIPAA personal reason for motion creates obstacles to restoration for people harmed by the violations. People searching for cures for HIPAA violations are usually left to the vagaries of state legislation. For extra data, see EBIA’s HIPAA Portability, Privateness & Safety handbook at Sections XX.H (“No Direct Non-public Reason behind Motion within the Statute or Rules”), XXI.D.3 (“Litigation Primarily based on State-Legislation Claims”), and XXVI.D.5 (“Disclosures for Judicial and Administrative Proceedings”). You might also be concerned about our webinar “Sensible Software of HIPAA Use and Disclosure Guidelines for Group Well being Plans” (recorded on 8/12/2021).
Contributing Editors: EBIA Workers.
