Are Your Medical Records Really Yours?
By Donovan B. Dodrill on August 30, 2019
Denying a patient health records does not appear to be a cause of action. However, courts in several jurisdictions have ordered covered entities to disclose a patient’s personal health information to the patient. Regardless, courts often adhere to the HIPAA regulations and will not order the production of medical records. The case law below examines the various ways patients have accessed their medical records after initially being denied access.
State common-law claims are said to be preempted by HIPAA. However, some courts have fond that a HIPAA violation may be used either to supply the standard of care for other tort claims, or as a basis for a claim of negligence per se. R.K. v. St. Mary’s Med. Ctr., Inc., 229 W. Va. 712, 720 (W. Va. 2012). HIPAA does not create a private right of action, but states may create their own HIPAA related causes of action. California uses the Unfair Competition Law to “remedy violations and other laws, both state and federal.” It creates a private right of action to remedy three varieties of unfair competition: unlawful, unfair, and fraudulent.” Webb v. Smart Document Solutions, 499 F. 3d 1078, 1082 (9th Cir. 2007).
Other courts have found there cannot be a claim of negligence per se under HIPAA for disclosure of medical records. Fanean v. Rite Aid Corp. of Del. Inc., 984 A.2d 812, 817 (Del. Super. Ct. 2009). Because there is no separate action under HIPAA, any claim premised by negligence per se under HIPAA is dismissed. Id. Pennsylvania court determined even HIPAA regulations applied to patient’s medical provider, and that provider violated those regulations by providing patient’s supervisor with information, HIPAA’s purpose was to protect interest of general public. Rudern v. Pequea Valley School Dist., 790 F. Supp. 2d 377, 403 (E.D. Penn. 2011). HIPAA could not form statutory basis for teacher’s negligence per se claim against provider under Pennsylvania law. Id.
HIPAA may be used to establish a standard of care.
Some courts allowed HIPAA violations to be used to prove or as evidence indicating a negligent standard of care. HIPAA may be used as a basis for asserting claims in private actions. I.S. v. Wash. Univ., 2011 U.S. Dist. LEXIS 66043, 4 (E.D. Mo. 2011). A violation of HIPAA under negligence per se likely means a failure to comply with HIPAA regulations or requirements would suffice to demonstrate failure to comply with applicable standard in using, disclosing, or protecting information.
When a covered entity made unauthorized disclosures of the plaintiff’s medical records, HIPAA was referenced in order to establish the standard of care to adjudge whether the defendant’s acts were negligent. Id. Failure to comply with HIPAA is not sufficient to demonstrate failure to comply with the standard of care. However, failing to comply with HIPAA can be evidence of not complying with the standard of care. HIPAA cannot be used to find a private cause of action, but HIPAA can be used to establish the legal duty of care. Id.
A plaintiff may not allege a claim under HIPAA for negligence regarding handling of medical records. However, a plaintiff can reference HIPAA in alleging a standard of care. Acosta v. Bryum, 180 N.C. App. 562, 568 (N.C. Ct. App. 2006). The plaintiff did not claim a HIPAA violation. Instead the plaintiff alleged that a doctor providing the access code to medical records violated the rules and regulations of HIPAA. Id. at 572. HIPAA was cited as evidence for the standard of care element in negligence. Id.
A Connecticut court determined a plaintiff can use HIPAA or another state statute to establish the duty element in a negligence claim. See Doe v. Southwest Cmty. Health Ctr., Inc., 2010 Conn. Super. LEXIS 2167, (Conn. Super. Ct. 2010) (denying summary judgment on negligence claim alleging failure to safeguard plaintiff’s protected health care information conforming to duty imposed by common law and by HIPAA).
Violation of HIPAA may be a state-law tort claim of negligence per se.
“The mere presence of a federal issue in a state cause of action does not automatically confer federal jurisdiction.” K.V. v. Women’s Healthcare Network, LLC, 2007 U.S. Dist. LEXIS 102654, 2 (W.D.Mo. 2007). The negligence per se claim based on HIPAA violation for disclosing confidential information was a state-law claim. Id. Despite HIPAA being a federal statute, to have federal jurisdiction over a case, the federal issue must be a substantial one which has serious federal interest. Baum v. Keystone Mercy Health Plan, 826 F. Supp. 2d 718, 720 (E.D. Pa. 2011).
The Pennsylvania court stated claim of negligence per se based on personal improper handling of health information is a state-law tort case “[i]n spite of the fact that the personal data at the heart of this case is protected by HIPAA.” Baum 826 F. Supp. 718 at 721. Negligence per se can be decided by state court if the state has a more stringent security statute. Id.
HIPAA would supersede or preempt any contrary state law. 42 U.S.C. § 1320d-7 (a)(1). A state law is “contrary” to HIPAA if a health care provider “would find it impossible to comply with both the State and federal requirements” or if the state law is “an obstacle to the accomplishment and execution of the full purposes” of HIPAA. 45 C.F.R. § 160.202 (West 2013); R.K. 229 W. Va. at 721. “State common-law claims for the wrongful disclosure of medical or personal information are not inconsistent with HIPAA . . . .” and are not preempted by HIPAA. Id.
“HIPAA’s provisions do not completely preempt state law and expressly preserve state laws that are not inconsistent with its terms.” Harmon v. Maury County, 2005 U.S. Dist, LEXIS 48094, 7-8 (D. Tenn. 2005). “Congress did not provide an exclusive federal remedy under HIPAA.” Id. at 11. HIPAA claim is appropriate for federal court where there is compelling federal interest or a substantial federal question. Id.
However, courts are far from unanimous in deciding to allow HIPAA violations under negligence per se or state statute. When a patient’s medical records were disclosed to her estranged husband, the patient could not use a state statute to bring a HIPAA violation under negligence per se. Young v. Carran, 289 S.W.3d 586, 588 (Ky. Ct. App. 2008). The language of the statute only pertained to state statutes and did not extend to HIPAA, federal statutes, local ordinances, and/ or regulations. Id. at 589.
If a party wishes to bring violation of HIPAA through a state statute, the statute should have intended “to embrace the whole of federal laws and the laws of other states” so there can be a private civil remedy for a vast array of violations. Id.