State Law Causes of Action for Patient Privacy Breach Proceed Despite HIPAA Preemption
March 18, 2015
Since its enactment, many providers have been faced with the risk of government sanctions for patient privacy breaches under the Health Insurance Portability and Accountability Act (“HIPAA”), but have been able to seek solace in the fact that HIPAA does not allow for a private cause of action and preempts conflicting state law. The Connecticut Supreme Court’s opinion in Byrne v. Avery Center for Obstetrics and Gynecology, P.C.1, however, has reemphasized the recent move in several states to allow patient privacy breach claims to proceed under state law.
In Byrne, the court held that HIPAA does “not preempt causes of action, when they exist as a matter of state common or statutory law, arising from health care providers’ breaches of patient confidentiality”2 to the extent the causes of action “do not preclude, conflict with, or complicate health care providers’ compliance with HIPAA.”3 The court supported its holding with a survey of cases from various jurisdictions, further holding that HIPAA may define the standard of care for the state law claims.
A number of courts within the states where Jackson Kelly’s professionals practice, and in which its clients transact business, have held that state law claims could proceed, or at least have left open the possibility for them to proceed:
West Virginia- As more fully detailed in a past Health Law Monitor post, West Virginia has similarly allowed a claim to proceed for a breach of medical records confidentiality. The state Supreme Court of Appeals in RK v. St. Mary’s Medical Center4 reversed the lower court’s dismissal of a claim for wrongful disclosure, finding that state common law claims for the wrongful disclosure of medical or personal health were not inconsistent with HIPAA, but instead complemented it. The court, like in Byrne, noted the other courts that previously allowed claims for negligence per se for violating HIPAA regulations or allowed HIPAA to define the standard of care for other tort claims.
Kentucky- In Young v. Carran, the Kentucky Court of Appeals rejected a claim for patient privacy breach under Kentucky’s negligence per se statute because the statute only provided for private causes of action based on Kentucky state statutes.5 The court, however, appeared to leave open the possibility that a plaintiff may be able to bring independent state law causes of action, and like in Byrne, rely on a federal statute or regulation, such as HIPAA, to define the duty of care.6 But in this instance, the plaintiff abandoned her state common law causes of action on appeal, so the issue was not before the Court.
Pennsylvania- The United States District Court in Baum v. Keystone Mercy Health Plan,7 while remanding claims implicating HIPAA for lack of federal subject matter jurisdiction, acknowledged they were viable claims under state law. The court’s decision to remand was based on the lack of federal subject matter jurisdiction, implying that the claims could proceed in state court even though they implicated HIPAA, which on its own did not provide for a private cause of action.
Ohio- Ohio courts have not definitively decided whether a state law claim based on a HIPAA violation is preempted. Nevertheless, a federal court in Ohio was faced with claims that a disclosure—permissible under HIPAA—violated Ohio’s patient-physician privilege statute. In Turk v. Oiler,8 the court, while acknowledging there was no federal private right of action under HIPAA, denied a motion for judgment on the pleadings, holding that the plaintiff’s claim for violation of the state patient-physician privilege statute was not pre-empted by HIPAA. In Turk, the provider disclosed records in response to a grand jury subpoena, and although such disclosure was permitted under HIPAA, there was no such exception to the Ohio patient-physician privilege statute. Unlike Byrne, the claims did not rely on HIPAA to establish the standard of care as the disclosure conformed to that standard. Yet, Turk is significant to providers across the country who must ensure that they not only meet the exceptions under the HIPAA regulations for disclosure of records, but also more stringent state laws and regulations.
Indiana- Just days after the Byrne decision, and without much discussion on the interplay between HIPAA and state law causes of action, the Court of Appeals of Indiana affirmed a $1.4 million verdict against Walgreen Co. in Walgreen Co. v. Hinchy.9 The plaintiff asserted, and ultimately prevailed on, claims for negligence/malpractice and public disclosure of private facts based on a single pharmacist’s unauthorized access and disclosure of the plaintiff’s prescription records. This case, however, remains open and may be heard by the Indiana Supreme Court.
This article was written by Chacey R. Ford, Jackson Kelly PLLC. For more information on the author, see here.
1 102 A.3d 32 (2014).
2 Id. at 42.
3 Id. at 49.
4 735 S.E.2d 715 (2012).
5 289 S.W.3d 586, 588-89 (Ky. App. 2008).
6 Id. at 589 (citing T & M Jewelry, Inc. v. Hicks ex rel. Hicks, 189 S.W.3d 526, 531 (Ky. 2006) (holding federal Gun Control Act could define duty of care for state common law negligence claim despite inability to bring civil claim under federal statute or state negligence per se claim)).
7 826 F. Supp. 2d 718 (E.D. Pa. 2011).
8 732 F. Supp. 2d 758 (N.D. Ohio 2010).
9 2014 WL 6130795 (Ind. Ct. App. Nov. 14, 2014) on reh'g, 2015 WL 207955 (Ind. Ct. App. Jan. 15, 2015) (affirming Nov. 14, 2014 decision).