So, You Thought HIPAA Didn’t Create a Private Cause of Action? Wrong – and with HITECH It Creates a Hugely Expanded Class of Defendants.

Think again! Then read down to see an even more significant implication given HITECH’s expansion of HIPAA jurisdiction to Business Associates.

The link takes you to a blog post I did for the Washington State Bar Association Health Law Section (which is a great organization, and if you’re a Washington lawyer you should definitely join), about the question whether HIPAA/HITECH standards apply to create a private negligence cause of action. The short answer is yes, and that the same probably holds true in any state which allows regulations to be used to prove or as evidence indicating a negligence standard of care.  The post was inspired by a West Virginia Supreme Court decision which reviewed the developing caselaw from a number of states, and concluded that  in this area and concluded that in West Virginia, as in several other states, HIPAA does indeed provide a standard of care for a common law tort action, which is not itself preempted by HIPAA.

The specifics of this kind of action will vary state-to-state. In some cases the action will be for “negligence per se,” meaning that proof of a failure to comply with a HIPAA regulatory requirement or prohibition would suffice to demonstrate failure to comply with the applicable standard of care in using, disclosing or protecting information. Washington and some other states, on the other hand, would not make proof of a failure to comply with HIPAA sufficient to demonstrate failure to comply with the applicable standard of care in and of itself, but would allow the plaintiff to submit evidence of a failure to comply with HIPAA, and the judge and/or jury to consider it as evidence the defendant did not comply with the common law tort standard of care.

The practical difference between the two (I think!) is that in negligence per se states, the plaintiff could win summary judgment by proving a failure to comply with HIPAA, while in Washington and those following a comparable rule summary judgment on such grounds is less likely, but not impossible. HIPAA compliance in this context would be a factual question, with evidence of compliance or non-compliance provided by expert witnesses. I’ve been an expert witness on HIPAA standards of care in a number of cases already, where for example the question was whether the defendant was in compliance with a contract or bylaws requirement for HIPAA compliance, and this can be a pretty adversarial approach to HIPAA analysis.

As a practical matter this means that Covered Entities – and Business Associates (I think as of the HITECH effective date of March 25, not the “compliance date” as of September 23) may be liable to any individual whose PHI is (1) used or disclosed by the Covered Entity or Business Associate in violation of a HIPAA requirement or prohibition, (2) not made available or amended, etc., in violation of a HIPAA requirement or prohibition, or (3) is used, disclosed, modified or destroyed due to a failure to comply with the Security Rule.

The principal limiting factor would seem to me to be whether the plaintiff can prove damages. For example, the fact that a plaintiff fears that lost personal information might some day be used for identity theft purposes has been held insufficient to allow a negligence claim. On the other hand, credit monitoring and related fees may be sufficient damages to support a claim based on personal information data breach, though the complexity of proving damages may preclude a class action on such a basis. So at least for the time being maybe Covered Entities and Business Associates may not have to worry about class actions based on negligence claims using a HIPAA standard of care. But it seems to me they should be aware such claims are likely to surface in other situations, and may sometimes create real problems.

This kind of claim is just about certain to start surfacing in data breach lawsuits against Covered Entities, as soon as the plaintiffs’ bar catches up to the theory. (Please don’t tell them! They’ll figure it out soon enough on their own . . . ) In that setting the negligence claim is probably duplicative of whatever other theory the plaintiffs were going to pursue, though I suspect it may become a primary theory for such purposes against Covered Entities. I’d also look for some attempts to use the theory creatively in other kinds of lawsuits against Covered Entities – in fact I already have seen some of that – as an ancillary claim which may be intended to create leverage for other claims, or complicate their defense. And based on experience I would also, frankly, expect to see some quite peculiar uses of the theory, where plaintiffs may have a grudge against the Covered Entity, especially if they are represented by legal counsel who doesn’t quite understand the issue – or is willing to push the envelope.

But what I expect will be really interesting (in the way, perhaps, that seeing a car crash is “interesting” – it’s painful and potentially horrible but you can’t look away) will be how the theory is applied to Business Associates. In the absence of this theory for a standard of care, very few if any Business Associates can be liable to an individual for anything they might do or fail to do with respect to their personal information, aside from failure to notify them of a security breach under some state breach notification statutes. The reason for this is more fundamental than difficulty in proving damages or a standard of care; the reason is that the law has not recognized a duty of care which would apply between Business Associate and PHI data subjects.

For this kind of purpose a duty of care has to be created or recognized in law. Health care providers have long been required to protect patient data as a matter of ethics as well as licensure and in many state by statute or regulation, or by common law – but this is a duty they owe their patients because of the provider-patient relationship. Duties of care are generally based on a relationship between the plaintiff and defendant, and the duty of care has to be established before the question of the standard of care even comes up.

Now, however, HITECH has expanded the duty of care with respect to PHI to Business Associates – even Business Associates at the far end of a Business Associate “chain,” and even Business Associates who don’t know that’s what they are. And this included many types of organization which have not previously had to worry about being sued by the individuals whose personal information they may have or use.

Consider just one type of situation, albeit one I can relate to rather directly: A law firm Business Associate, say one defending a hospital against a potential data breach class action with thousands of plaintiffs.  (It could also be medical malpractice, unfair trade practices or any one of many types of claim where analysis of information including PHI is required. It also needn’t be a hospital – it could be a big insurance company, etc.) HITECH now requires the law firm to comply with HIPAA as a Business Associate. So what happens if the law firm in turn experiences a security breach affecting the PHI it has for purposes of the litigation? Don’t the affected plaintiffs now have a new cause of action, against the law firm? If not, why not?

And I can just imagine some of the mischief that’s likely to crop up in adversarial, well-funded divorce disputes, and when prison lawyers begin to get hold of this . . .