A Missouri federal district court has ruled, in I.S. v. Washington University, that a HIPAA-covered entity’s disclosure of protected information can form the basis for a state-law negligence claim. The Court reached this holding despite the well-accepted principle there is no private cause of action under HIPAA.
The plaintiff, I.S., was undergoing medical treatment for colon cancer at Washington University. I.S. gave Washington University a limited authorization to disclose only the dates of her treatments in order to satisfy her employer’s medical leave requirements. Notwithstanding this limited authorization, plaintiff asserts that Washington University also sent her employer additional medical records and information that far exceeded her authorization. These included I.S.’s HIV status, mental health issues, and insomnia treatments. Based on that disclosure, I.S. sued Washington University for negligence per se based on a violation of HIPAA.
Procedurally, Washington University removed the state court action to federal court and sought dismissal of the negligence per se claim, arguing that HIPAA does not create a private cause of action.
The district court, disagreeing with Washington University, held the plaintiff’s claim could stand despite its exclusive reliance on HIPAA. The court held that a federal statute that does not provide for a private right of action nevertheless may be a legitimate element of a state law negligence per se claim.
Under Missouri law, among other things, the plaintiff must show:
· a violation of a statute or ordinance occurred,
· the plaintiff was a member of the class of people intended to be protected,
· the injury complained of was of the type intended to protect against, and
· the violation was the proximate cause of the plaintiff’s injury.
The Court found that I.S. had met all of the required elements of her claim and remanded the case back to state court. It held that I.S.’s claim, although premised on HIPAA, did not raise a federal question as it did not raise any compelling federal interests or present a substantial federal question.
This case illustrates the need for HIPAA covered entities to provide training and institute policies and procedures regarding HIPAA compliance. Here, a process for responding to requests for information would have highlighted the importance of carefully adhering to the limits of the authorization and prevented this alleged unauthorized disclosure, thus precluding I.S.’s claims. Additionally, employers, and their counsel, must be aware that common law claims may support litigation based on HIPAA, despite the fact HIPAA itself does not provide for a private cause of action.