When we think about the privacy and security of patients’ medical information, we generally think HIPAA and federal law. But HIPAA is not the only law requiring the appropriate safeguarding of patient information. Both federal regulations (via the Federal Trade Commission [FTC]) and state regulations also impose an obligation to protect the confidentiality of your patients’ protected health information (PHI).1,2
When Congress passed the Health Insurance Portability and Accountability Act of 1996, it sought to provide a federal framework for governing PHI. However, before the updated version of HIPAA electronic health records went into effect in 2009, a number of states had already enacted statutes and rules regulating the privacy of health care information.3 Even after the federal law’s passage, states have continued to enact their own laws regulating health care information.4
With this update to HIPAA, rules were put in place on how doctors, hospitals, insurance companies, and other health care providers are required to handle PHI. Additionally, when a provider violates HIPAA privacy and security laws by carelessly handling sensitive information, they open the door for the patient to be eligible to pursue legal action against them.5
While a HIPAA claim to the Office for Civil Rights (OCR) or a state attorney general is the most common place to address these incidents, a separate issue may lead to a medical malpractice claim.6 In some instances, HIPAA violations have been cited as a contributing factor to medical malpractice, leading to these additional claims.
Other Federal Statutes and Regulations as Possible Sources of Individual Actions Asserting Claims Under State Law
HIPAA is not the sole federal statute and regulation governing the privacy and security of information, including information that is PHI under HIPAA. For example, in a complaint filed on August 29, 2013, the FTC brought an administrative action against LabMD, Inc. on the grounds that the company failed to reasonably protect the security of PHI, allegedly found on a peer-to-peer file-sharing network, in violation of the Federal Trade Commission Act.7 Note: the incident did not involve an alleged violation of HIPAA.7
The FTC also regulates the privacy and security of information contained in personal health records that are not subject to HIPAA and has adopted a “Health Breach Notification Rule” governing “foreign and domestic vendors of personal health records (PHR) related entities, and third-party service provider.8,9
The Differences Between a HIPAA Violation and Medical Malpractice
HIPAA violations and medical malpractice are serious breaches of professional conduct, and both have the potential to endanger patients’ rights. However, these are two different areas of the law and they rarely overlap.
HIPAA laws uphold a patient’s rights to privacy, not the level of care they receive. These rules protect the security of health information. HIPAA violations result in fines and sanctions, up to and potentially including loss of privileges to practice medicine. Criminal charges might even result in instances of repeated or willful breaches of HIPAA standards, and improper use of PHI for economic and/or personal gain.
Generally, a provider cannot be sued on the sole grounds of a HIPAA violation. However, there may be other options available to the patient if a doctor violated a patient’s privacy. For one, HIPAA rules overlap with many state laws. While patients cannot sue based on HIPAA, they might be able to pursue damages based on a violation of state law. Additionally, in many states, HIPAA implies a contractual relationship between the patient and the provider. A violation can constitute a breach of that contract, which would allow the patient to file suit outside the HIPAA regulations.
The Supremacy Clause and Preemption
The United States Constitution’s Supremacy Clause provides laws made pursuant to it “shall be the supreme law of the Land.”10 In certain scenarios, if there is a conflict between federal law and state law, federal law will override it.
As such, federal law will override state law when Congress expressly preempts state law by explicitly providing that federal law displaces a state law.10 Congress can also implicitly preempt state law in two ways. The first is field preemption, in which federal regulation is so pervasive that Congress leaves the states with no room to supplement the federal law. The second form of implied preemption is conflict preemption, in which compliance with both federal and state laws is impossible, leading to conflict.
At the time of HIPAA’s drafting, the language explicitly provided that HIPAA’s provisions preempt any “contrary state law” addressing patient privacy and PHI.10 The regulations define “state law” to mean “a constitution, statute, regulation, rule, common law, or other State action having the force and effect of law.” HIPAA defines a state law as “contrary” if:
(1) the state law would make it impossible for the healthcare provider to comply with HIPAA and the state directive at the same time; or
(2) the state provision stands as an obstacle to the accomplishment of the full objectives of HIPAA.
Therefore, HIPAA will preempt a state’s laws that meet either of these conditions.
Note that HIPAA creates a baseline, not a ceiling, regarding health privacy regulations.10 Thus, a state can pass a law more stringent than HIPAA to protect patient privacy. A state law on patient privacy is “more stringent” than a corresponding HIPAA provision if the state law does any of the following:
• prohibits the use or disclosure of information when the federal law would permit it;
• provides a patient with “greater rights of access or amendment” to health information;
• provides a patient with a “greater amount of information” about health information use, disclosure, rights, or remedies;
• provides for more detailed recordkeeping or accounting of disclosures;
• provides requirements that narrow the scope or duration, increase the privacy protections afforded, or reduce the coercive effect of the circumstances surrounding the express legal permission for a disclosure of information; or
• with respect to any other matter, the state law provides greater privacy protection of the information’s subject matter.
Medical malpractice refers to a situation in which a doctor or health care provider fails to meet the standard of care expected of their profession—i.e. the doctor failed to exercise a reasonable standard of care in treating patients.
More frequently now, with case law (to be discussed later), HIPAA has deemed to be a “standard of care” and the failure to maintain a patient’s privacy, a HIPAA violation, might fall under this definition of malpractice.
It is important to note that medical mistakes do not necessarily qualify as malpractice. To be susceptible to a medical malpractice lawsuit, the doctor must have violated the “reasonable person” standard. In other words, would a reasonable person—possessing the same education and training as the doctor in question, and faced with the same situation—have provided a higher level of care? If so, grounds for medical malpractice exist. Or, to say it differently, consider the degree of care (watchfulness, attention, caution, and prudence) that a reasonable person should exercise under the circumstances. If a person does not meet the standard of care, he or she may be liable to a third party for negligence.11
When Do Medical Malpractice and HIPAA Laws Intersect?
HIPAA laws overlap with medical malpractice rules when it comes to a doctor’s responsibility to maintain a patient’s privacy. To win a medical malpractice case on this basis, the patient’s attorney must make a strong case that the provider’s standard of care includes the requirement to follow HIPAA regulations.
HIPAA Standards and State Law Causes of Action
The Connecticut Supreme Court’s decision in Byrne v. Avery Center for Obstetrics & Gynecology, P.C. was the first time a state court recognized HIPAA requirements as a duty owed in a negligence case.12 After this decision, an aggrieved party in Connecticut has the right to sue a HIPAA violator directly in state court even though HIPAA itself does not create the right to bring an action.
The Connecticut Supreme Court reached two key conclusions:
• HIPAA does not preempt state common law causes of action for negligence, and
• the HIPAA regulations may be used to establish a standard of care for common law negligence causes of action.
The Connecticut Supreme Court ruled HIPAA as a standard of care, opening the door to civil litigation outside of the HIPAA regulation. The court’s logic was “We conclude that a duty of confidentiality arises from the physician-patient relationship and that the unauthorized disclosure of confidential information obtained in the course of that relationship gives rise to a cause of action sounding in tort against the health care provider unless the disclosure is otherwise allowed by law.”12
In the years following Byrne, other states have adopted Connecticut’s view that HIPAA does not preempt state law and that HIPAA can establish a standard of care applicable to state claims.12 An Indiana court held that a patient could sue a pharmacy for negligence after failing to monitor the use and disclosure of PHI by employees.13 There, a pharmacy employee disclosed the plaintiff’s prescription records, which were used to harass and extort the plaintiff. The Indiana Appellate Court held that the pharmacy and its employee were liable under negligence for the HIPAA violation and affirmed the trial court’s award of $1.8 million in damages.
This decision expanded the intersection between HIPAA and civil tort law from cases such as Walgreens Co. v. Hinchy, where an Indiana jury was ruled that the defendant, a Walgreens pharmacist, breached the standard of care when she divulged confidential information about the plaintiff’s medical history and prescriptions.13
Similarly, West Virginia’s state Supreme Court concluded that HIPAA did not preempt a patient’s state law tort claims arising from a hospital’s alleged unauthorized disclosure of the patient’s confidential medical and psychiatric information because the state law claims were not inconsistent with HIPAA.14 Here, the state-law claims complemented HIPAA by enhancing the penalties for its violation and thereby encouraging covered entities to comply with HIPAA.
Not all states have adopted Connecticut’s approach, however. Maine’s Supreme Court heard a class-action lawsuit filed by hospital emergency room patients against a hospital after the hospital’s security guard disclosed private health information to the police without their knowledge.15 The patients claimed that the unauthorized disclosure of their confidential health care information violated HIPAA and state law. Maine’s Supreme Court disagreed and held that HIPAA did not create a standard for violation of state law because HIPAA does not provide a private cause of action.15
Laws are inconsistent from state to stare, so covered entities and related business associates should review relevant state laws to ensure that they comply with the laws under both HIPAA and any states where they do business.
We must remember that most HIPAA violations do not constitute breaches in the standard of care, making it difficult to get them classified as medical malpractice in a court setting. Acts that represent clear privacy violations, but do not rise to the level of medical malpractice, include:
• Employees improperly accessing sensitive patient medical files, whether accidentally or on purpose;
• Employees transmitting medical records improperly or insecurely, such as over a public email server;
• Employees storing information on cellphones or other portable devices that are easily lost, misplaced, or stolen; or
• Employees gossiping or talking too loudly about a patient’s medical history in earshot of others not privileged to the information.
While divulging information from your medical records is generally not considered malpractice, forging or changing your records could be grounds for a lawsuit. But if a physician were to alter a medical record, this would be a clear violation of the standard of care doctrine, opening the door to a valid medical malpractice claim.
Complicating the playing field are state laws trying to clarify the intersection between malpractice and HIPAA. In Georgia, a new medical malpractice reform bill enacted in 2005 required a patient who brings a medical malpractice action to sign a mandatory medical record disclosure form upon filing the complaint. The disclosure permitted the health care provider who is being sued to have access to the suing patient’s PHI, including information from other physicians, to facilitate the investigation, evaluation, and defense of the claims. The form, mandated by Georgia law, lacked an explicit warning that the suing patient could revoke the permission. The form also lacked a specific expiration date or event, although it implicitly limited the release to the underlying malpractice complaint.
For example, HIPAA has been used twice to stop the disclosure of medical records that would otherwise be required under Georgia’s medical malpractice reform law. Northlake Medical Center, LLC v. Queen and Allen v. Wright are Georgia appellate court decisions that highlight the complex interplay between the disclosure of medical records under state laws and the trumping of those laws by HIPAA.16,17
The Georgia cases held that this mandatory disclosure form conflicted with HIPAA’s requirements for written authorizations for the release of protected health information.16,17 The courts were also alarmed by the breadth and non-specificity of the PHI that might be inadvertently disclosed by physicians. Furthermore, it was apparent to the court that the authorization was not needed because a request for PHI relevant to the medical malpractice defense could be obtained in Georgia via a subpoena.
Limitations on HIPAA Violations as a Basis for Medical Malpractice
Even if the Byrne reasoning is broadly adopted across states, in general, patients may still face a number of challenges in court. As plaintiffs, patients may still face the most common hurdle to private breach litigation—demonstrating harm resulting directly from an unauthorized disclosure. For example, in Remijas v. The Neiman Marcus Group, LLC, the court of Illinois concluded that the plaintiffs failed to demonstrate sufficiently concrete harm to bring a claim.18 Yet there may be an important distinction for the types of sensitive health information protected by HIPAA.
Most cases that have been dismissed for lack of concrete harm have involved financial information or government-issued identifiers (e.g., Social Security numbers). These types of information may be used to commit identity theft and fraud, resulting in financial harm. However, these potential harms require additional steps on the part of criminals to have any effect on individuals. In addition, non-legal remedies may ameliorate harm to individuals. For instance, the court in Remijas noted that fraudulent charges can be reimbursed to consumers.18 On the other hand, the content of health information can be highly sensitive, resulting in financial, reputational, and/or emotional harm as an immediate consequence of disclosure. This is one of the reasons that many states expressly prohibit unauthorized disclosures of medical records with little, if any, regard to how that information is used or to whom it is disclosed. Therefore, plaintiffs may find greater success in demonstrating harm from unauthorized disclosures of HIPAA protected health information.
Finally, it should be noted that the establishment of HIPAA as a standard of care could be somewhat beneficial to HIPAA covered entities and business associates. The HIPAA regulations set out clear guidelines for appropriate uses, disclosures, and safeguards for PHI. Nonetheless, HIPAA covered entities and business associates should carefully monitor developments in their state and take steps to ensure that their HIPAA compliance programs are as robust as possible.
If HIPAA violations become a predicate to common law private rights of action, the impact could apply across a wide range of the economy. HIPAA-covered entities, such as health care providers and insurers, would face heightened legal and financial risks. It should also be noted that the HITECH Act imposes much of the HIPAA statute and regulations (including all requirements of the HIPAA Security Rule) directly upon business associates. Hence, the establishment of a common law private right of action could also present significant risk to entities that regularly handle or process health information on behalf of covered entities, including information technology consultants and service providers, accounting firms, and law firms.
Efforts to use HIPAA regulations or other federal statutes and regulations as standards for causes of action under state law involving breaches relating to individual health information can be expected to rise as a result of the Byrne decision. This area will be the source of expanded litigation and uncertainty in jurisdictions around the country unless and until the U.S. Supreme Court renders its opinion on the matter.
Roger Shindell is Chief Executive Officer of Carosh. He is also chairman of the Healthcare Information and Management Systems Society (HIMSS) Risk Assessment Work Group and is a member of American Health Information Management Association (AHIMA) privacy and security council. Shindell has more than 30 years of multidisciplinary experience in health care and has served as an advisor and principal in health care, technology, and service companies. He may be reached at firstname.lastname@example.org.
The author is not an attorney and as such, the information in this article are the opinions of the author and should not be construed as legal advice.
1. 15 U.S.C. §§ 6501-6506
2. 16 U.S.C. §§ 1.C.314
3. Health Information Technology for Economic and Clinical Health Act (HITECH)
4. Cohen B. Reconciling the HIPAA Privacy Rule with States Laws Regulating Ex Parte Interviews of Plaintiffs’ Treating Physicians: A Guide to Performing HIPAA Preemption Analysis. Houston Law Rev. 2006; 43(1091):1–52.
5. Almost exclusively under state laws
6. While most reports at the federal level are to OCR, other federal agencies may be the regulator responsible for addressing the “breach”—for example the FTC is responsible for privacy and security around online portals containing and/or processing PHI.
7. 15 U.S.C. 45(a) (“Section 5”)
8. Section 13407 of the American Recovery and Reinvestment Act of 2009.
9. 16 C.F.R. 318.1
10. HIPAA and the preemption of state law. Available at https://lawshelf.com/videocoursesmoduleview/hipaa-and-the-preemption-of-state-law-module-4-of-5/.
11. Cornell Law School. Available at https://www.law.cornell.edu/wex/standard_of_care.
12. Byrne v. Avery Center for Obstetrics & Gynecology, P.C. SC 19873 (Conn. Jan. 16, 2018).
13. Walgreens Co. v. Hinchy, NE 2d 2014 WL 6130795 (Ind. Ct. App. 2014)
14. R.K. v. St. Mary's Med. Ctr., Inc., 735 S.E.2d 715, 721-22 (W. Va. 2012).
15. Bonney v. Stephens Mem’l Hosp., 17 A.3d 123, 127-28 (Me. 2011).
16. Northlake Medical Center, LLC v. Queen, 280 Ga. App. 510 (Ga. Ct. App. 2006)
17. Allen et al. v. Wright, 644 SE 2d 814 (2007)
18. Remijas v. Neiman Marcus Grp., LLC 794 F.3d 688 (7th Cir. 2015)