HIPAA lawsuits – litigation involving a plaintiff claiming violation of a HIPAA regulation – usually do not get very far, as the plaintiffs in a data breach lawsuit against Episcopal Health Services discovered. HIPAA lawsuits, which are usually filed in court, are almost always dismissed by the judges assigned to hear them.

What Happens to HIPAA Lawsuits: No Standing

For a court to hear a lawsuit, it must have jurisdiction (Latin for “the power to speak the law”) over the individuals suing or being sued, and it must have jurisdiction over the subject matter of the lawsuit. If a court does not have the power to hear certain kinds of cases, it must dismiss those cases for what is called “lack of standing.” “Standing” means the right of an individual to bring a lawsuit that a court has jurisdiction to hear. 

HIPAA contains no private right of action. This means the text of the HIPAA law and regulations does not have any provision stating something to the effect of “Any person injured by a HIPAA violation can sue in federal court.” If a federal law does not have a “private right of action” provision (or if the text of the law does not imply one), there is no dispute for a court to hear, and no remedy for a court to provide. Article III of the U.S. Constitution gives federal courts the right to hear only “cases and controversies,” meaning lawsuits where a judge or jury is permitted to find in favor of one party or the other. No standing=no case or no controversy=no jurisdiction over subject matter=dismissal.

Do you have an effective HIPAA compliance program?

Find out now by completing the HIPAA compliance checklist.

Courts have held that HIPAA contains no private right of action for over 25 years. But…, the persistence of U.S. litigants should never be underestimated.

What Happens to HIPAA Lawsuits: Plaintiffs Try to Be Clever

In September 2018, Episcopal discovered a data breach – multiple email accounts were hacked after a number of employees fell victim to phishing scams. The hacked data included health information, Social Security numbers, medical histories, and other sensitive data, of various patients. When Episcopal reported the breach, it reported the breach to HHS. Episcopal then discovered that more patients were potentially impacted.

To get around the “no private right of action rule” in this case, Plaintiffs came up with a novel argument: Episcopal’s 3failure to train and hire employees, the plaintiffs alleged, caused the employees to fall victim to the phishing scam, which then caused the hack, which then caused the plaintiffs damages, which entitled them to sue. The argument, in essence, was this: When Episcopal agreed to treat Plaintiffs, it entered into a contract with them. Under that contract, it was required to follow the Security Rule. Since, the Plaintiffs alleged, Episcopal breached the Security Rule, it breached the contract, and a breach of contract entitles the non-breaching party to money.

The federal court dismissed the lawsuit. The court ruled that Plaintiff’s argument was simply a convoluted approach to get around the “no private action” rule, noting that “no private action” means, by definition, no right to sue under any basis, including on the basis of “negligence,” or the basis of “breach of contract.”

Need Help with HIPAA?

Let our complete HIPAA solution handle it.