The HIPAA Act turns 25 on August 21, 2021. On Wednesday, August 21, 1996, President Bill Clinton signed HIPAA into law, with bipartisan support from Congress. The signing took place as part of a gala ceremony on the White House lawn, complete with a Marine band and an invited audience. In the past 25 years, the Department of Health and Human Services has issued regulations requiring covered entities and business associates to provide for the privacy and security of electronic protected health information. Sporadic regulations have been proposed, modified, and implemented during that time. Only when HIPAA graduated teenagehood did it begin to really find another purpose – that is, being used as the basis for patient lawsuits against their physicians. The HIPAA Act 25th Anniversary can’t really be properly celebrated without acknowledging this trend, which is discussed below.
HIPAA Act 25th Anniversary: Using HIPAA as a Lawsuit Tool
The HIPAA Act does not provide a right for individuals to sue. Instead, individuals claiming that a covered entity or business associate violated the Privacy Rule, the Security Rule, or the Breach Notification Rule, must file a complaint with the Office for Civil Rights (OCR).
OCR then investigates, and, if appropriate, proposes issuing a civil monetary penalty or other sanction (such as a corrective action plan) against an entity that OCR believes violated one or more HIPAA regulations. The penalty money (or, if OCR enters into a settlement agreement, the settlement money) is collected by the government. It does not go into the pockets of complaining individuals. For some individuals, not being able to receive money damages based on a provider’s wrongdoing is a disincentive to filing a complaint. Lawyers in particular have been reluctant to represent individuals alleging a HIPAA violation, without the possibility of a potential payday.
Several years before the HIPAA Act 25th Anniversary, enterprising individuals found a way to sue their providers “under HIPAA.” In these “HIPAA lawsuits,” which, notably, include a 5-lawsuit class action brought against Premera Blue Cross in 2015, an individual, or class of individuals, files a lawsuit against a provider under a state data privacy, data security, or data breach notification law. The lawsuits allege that, although HIPAA itself does not permit lawsuits for money damages, it nonetheless establishes a professional standard of care. If, the plaintiffs argue, a provider has violated HIPAA, the violation is proof of failure to meet that standard of care. The concept of breaching a “standard of care” has long been recognized by state courts as a basis for awarding money damages. So, as we celebrate the HIPAA Act 25th anniversary, plaintiffs are banding together, in some instances joining those from other states, to sue providers for money, by alleging the providers violated HIPAA.
Anatomy of a HIPAA Lawsuit
A recent class-action suit filed over San Diego provider Rady Children’s Hospital’s (Rady) data breach is a good illustration of what Plaintiffs are arguing in their HIPAA lawsuits. In Doe v. Rady Children’s Hospital, the plaintiffs allege that a ransomware attack on Rady’s network resulted in a data breach that exposed the protected health information of over 20,000 individuals.
In the lawsuit, the plaintiffs allege that because Rady, “creates, maintains, preserves, stores, abandons, destroys, or disposes medical information,” it is therefore required to “take appropriate preventative actions to protect its patients’ medical information against release consistent with the HIPAA Act, (the HIPAA Privacy, Security, and Breach Notification Rules).” Because, the argument goes, Rady did not implement adequate security controls, policies or procedures, as required by HIPAA, Rady breached a duty of professional care – an obligation to properly safeguard confidential medical information – it owed to the Plaintiffs. This breach, Plaintiffs assert, constitutes negligence on Rady’s part that entitles Plaintiffs to money damages.
The Rady lawsuit is not the first lawsuit to invoke HIPAA as the basis for money damages, and it will not be the last. Judges in a number of states have become receptive to this argument. Just another development in HIPAA’s continuing evolution as it reaches the ripe old age of 25.
