Confidentiality violations are leading to civil lawsuits in addition to HIPAA enforcement actions. Until recently, courts have dismissed civil actions against healthcare providers for conduct related to possible HIPAA violations, asserting that HIPAA’s restriction of private right of action preempts state and local privacy, confidentiality, and negligence laws. But some states are now starting to hear civil claims against healthcare providers in these cases.
At issue is whether HIPAA, a federal law, “preempts” state and local laws and therefore prevents any recovery for private causes of action under other, related state laws. Courts have been dismissing these cases, saying, “You are asserting negligence and invasion of privacy, but you’re really asking for recompense because there was a HIPAA violation. HIPAA preempts state law, so we don’t have jurisdiction.”
Recent cases in states including Connecticut and New Jersey are questioning this precedent. The Connecticut Supreme Court reasoned that HIPAA does not preempt civil claims because they are not “contrary” to HIPAA. “Contrary” is defined in HIPAA as either:
- a situation in which it is impossible to comply with both the State and Federal requirements; or
- the state law stands as an obstacle to the accomplishment and execution of the full purposes [of the federal law].
The court acknowledged that HIPAA precludes a private right of action, but noted a US Supreme Court decision holding that state law that imposes liability over and above what a federal law imposes qualify as “preempting” it. The court also relied heavily on a comment made by the Department of Health and Human Services in the administrative commentary during the HIPAA final rule-making process:
“The fact that a state law allows an individual to file [a civil action] to protect privacy does not conflict with the HIPAA penalty provisions,’ namely, fines and imprisonment.”
The court was further persuaded by precedent in other jurisdictions concluding that state law and HIPAA are not in conflict because both discourage the wrongful disclosure of health information.
The counter-argument is that Congress intended HIPAA to control the entire field and permit only HHS and States Attorneys General to enforce PHI breaches and privacy or security incidents.
Ultimately, this question may end up in front of the U.S. Supreme Court before it is resolved.
At this point, healthcare organizations should just be aware of the growing possibility that they could face civil lawsuits in the wake of breaches or security incidents, not just HIPAA enforcement.