Select Page

Confidentiality violations are leading to civil lawsuits in addition to HIPAA enforcement actions. Until recently, courts have dismissed civil actions against healthcare providers for conduct related to possible HIPAA violations, asserting that HIPAA’s restriction of private right of action preempts state and local privacy, confidentiality, and negligence laws. But some states are now starting to hear civil claims against healthcare providers in these cases.

At issue is whether HIPAA, a federal law, “preempts” state and local laws and therefore prevents any recovery for private causes of action under other, related state laws. Courts have been dismissing these cases, saying, “You are asserting negligence and invasion of privacy, but you’re really asking for recompense because there was a HIPAA violation. HIPAA preempts state law, so we don’t have jurisdiction.”

Recent cases in states including Connecticut and New Jersey are questioning this precedent. The Connecticut Supreme Court reasoned that HIPAA does not preempt civil claims because they are not “contrary” to HIPAA. “Contrary” is defined in HIPAA as either:

  1. a situation in which it is impossible to comply with both the State and Federal requirements; or
  2. the state law stands as an obstacle to the accomplishment and execution of the full purposes [of the federal law].

The court acknowledged that HIPAA precludes a private right of action, but noted a US Supreme Court decision holding that state law that imposes liability over and above what a federal law imposes qualify as “preempting” it. The court also relied heavily on a comment made by the Department of Health and Human Services in the administrative commentary during the HIPAA final rule-making process:

“The fact that a state law allows an individual to file [a civil action] to protect privacy does not conflict with the HIPAA penalty provisions,’ namely, fines and imprisonment.”

The court was further persuaded by precedent in other jurisdictions concluding that state law and HIPAA are not in conflict because both discourage the wrongful disclosure of health information.

The counter-argument is that Congress intended HIPAA to control the entire field and permit only HHS and States Attorneys General to enforce PHI breaches and privacy or security incidents.

Ultimately, this question may end up in front of the U.S. Supreme Court before it is resolved.

At this point, healthcare organizations should just be aware of the growing possibility that they could face civil lawsuits in the wake of breaches or security incidents, not just HIPAA enforcement.


  1. Byrne v. Avery Ctr. for Ostetrics & Gynecology, P.C.
  2. Fox Rothschild LLP. Court: Patients Can Sue over HIPAA Breaches.
  3. AIDS and the Law in New Jersey. Pages 6, 7.
  4. NJ Ruling Could Spur Patient Suits Over HIPAA Violations.

About Jacob Overdorff

Jacob Overdorff, Consultant for Eagle Consulting

Jacob is a consultant at Eagle Consulting with a legal background and strong focus on HIPAA-Compliance obligations.  He graduated from University of Akron School of Law in 2015, has worked as a law clerk for the International Institute of Akron, and brings research, client service, and management skills to the team.

Eagle Risk Assessment JumpStart

Use Eagle's Risk Assessment JumpStart to Protect Your Organization

Receive this four page guide to help you assess your security risk and begin taking the right steps to avoid penalties and cyber attacks.

You have Successfully Subscribed!

Pin It on Pinterest