A federal trial court has dismissed state-law claims brought by a group health plan participant after the plan’s insurer disclosed the participant’s protected health information (PHI) in violation of the HIPAA privacy rule. According to the complaint, the insurer received a subpoena directing it to disclose specified medical records to an assistant judge for private review before the records would potentially be disclosed to an attorney for the participant’s ex-spouse. However, the insurer allegedly violated HIPAA by disclosing records beyond those described in the subpoena. Moreover, the disclosure was made directly to the ex-spouse’s attorney rather than to the assistant judge. The participant brought several privacy-related claims against the insurer, including one for negligence per se based on the insurer’s apparent violation of HIPAA’s privacy rule.
The court noted that negligence per se is a legal doctrine that imposes duties based on a statutory standard of care rather than the “reasonably prudent person test” used in pure negligence claims. Under the negligence per se doctrine, actors violating a relevant statute may be liable for damages if the violation caused the type of harm to an individual that the statute was intended to avoid. The court explained that, under applicable state law, a negligence per se claim cannot be premised on a statute that, like HIPAA, does not contain a private right of action and instead provides a comprehensive regulatory scheme with limited private remedies. The court dismissed the participant’s claim, concluding that allowing a negligence per se claim based on a HIPAA violation would run afoul of legislative intent.
EBIA Comment: The HIPAA privacy rule permits a covered entity to disclose PHI in response to a subpoena. However, a covered entity does not have complete freedom to disclose PHI. Among other things, reasonable efforts must be made to limit disclosure of PHI to the minimum necessary to comply with the subpoena—a standard that was not met in this case. Still, even when HIPAA violations occur, the absence of a HIPAA private cause of action creates obstacles to recovery for individuals harmed by the violations. Individuals seeking remedies for HIPAA violations are typically left to the vagaries of state law. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.H (“No Direct Private Cause of Action in the Statute or Regulations”), XXI.D.3 (“Litigation Based on State-Law Claims”), and XXVI.D.5 (“Disclosures for Judicial and Administrative Proceedings”). You may also be interested in our webinar “Practical Application of HIPAA Use and Disclosure Rules for Group Health Plans” (recorded on 8/12/2021).
Contributing Editors: EBIA Staff.