Let’s say you go into your physician’s office for a test. Make it a test to rule out a condition: pregnancy, multiple sclerosis, diabetes, HIV, you name it. The front desk receptionist at the doctor’s office not only knows you but she also knows many of your friends and family members. You move in a number of similar circles. Several weeks after your test you find out that the receptionist has informed a number of your friends and even family members about your test. This information was passed on in casual social conversations and in ways completely unrelated to your medical treatment. You are terribly embarrassed. You fear your friends and family see you in a completely different light and worry that your reputation in the community may suffer. Perhaps there is even some financial loss to your business as a result of the indiscreet receptionist. Does the Health Insurance Portability and Accountability Act (HIPAA) provide you any remedy? The U.S. Court of Appeals for the Fifth Circuit decided a case a couple of weeks ago that settles the issue for those living in Texas, Louisiana and Mississippi. Acara v. Banks, 2006 U.S. App. LEXIS 28120. You can find the case here at the Fifth Circuit website. Acara alleged that her physician violated HIPAA when he disclosed her personal medical information in a deposition without her consent. However, violation of a statute does not necessarily mean that the person who was injured can bring a lawsuit and collect damages based on the statute’s violation. Statutes can create rights without creating a private remedy for the person who it is intended to protect. In the case of HIPAA, Congress did not specifically state that the person whose privacy was violated had the right to sue the disclosing party. In Acara the Fifth Circuit was called on to determine whether HIPAA implies such a right for the individual to bring suit and collect damages based on a violation of the statute. HIPAA provides both criminal and civil penalties for wrongful disclosure of protected health information. But these penalties must be enforced by government agencies, not individuals acting on their own behalf. In light of these express provisions for enforcement of the statute without any statement from Congress that individuals have the right sue for violations of the statute, the Fifth Circuit ruled that individuals whose protected health information is disclosed have no ability to sue based on a violation of HIPAA alone. Although this is the first federal Circuit to have issued a decision on this issue, it is not surprising. A number of federal District courts identified in Acara have ruled the same way. In addition, state law claims such as invasion of privacy or other torts are still available as the basis for a suit for damages. The violation of HIPAA is evidence that the person disclosing the information violated his or her standard of care. Thus, a violation of HIPAA can strengthen a state law tort lawsuit considerably.
Post A Comment