A federal court in New Mexico recently declined to dismiss tort claims asserted by a registered nurse against her employer, a government-run hospital, where she obtained treatment for a sexual assault. In denying the motion to dismiss, the court effectively rejected the federal government’s attempt to escape claims based on invasion of privacy for the disclosure of information regarding the assault (G.R. v. United States).
However, the court withheld ruling on the government’s motion to dismiss plaintiff’s claim for “negligence per se” based on the violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Instead, the court certified for the New Mexico Supreme Court the question of whether the claim fails, as there is no private right of action afforded by HIPAA. This case serves as a valuable reminder for hospitals of the broad implication of liability for disclosing private information, including the potential impact of HIPAA violations beyond mere regulatory enforcement.
Alleged Disclosure of Treatment Leads To Court Battle
The plaintiff sued her employer, Gallup Indian Medical Center, for the dissemination of information relating to treatment she received there after she fell victim to a physical and sexual assault. Her lawsuit claims the hospital disclosed private details of the assault to coworkers who were not her direct care providers. Specifically, G.R brought tort claims for public disclosure of private facts, intentional infliction of emotional distress, negligence, and negligence per se. The claim for negligence per se – a theory whereby an act is considered automatically negligent because it violates an existing statute – was premised on the hospital’s alleged HIPAA violation.
The hospital moved to dismiss G.R.’s claims for negligence, negligence per se, and public disclosure of private facts, but the court permitted the claims for negligence and public disclosure to proceed. It found no legitimate public interest was served in publicizing the nurse’s assault, and therefore greenlighted her privacy claim. In sum, the court did not take lightly the government’s attempt to avoid liability for disclosure of private information. It declined to rule on the negligence per se claim, however, and specifically avoided answering the question of whether a HIPAA violation may legally set the standard of care for such a cause of action.
Tort Liability By Virtue Of A HIPAA Violation?
As G.R.’s case illustrates, there could be serious repercussions for an employer’s improper disclosure of private information. Particularly significant are the questions raised concerning the potential HIPAA implications. Hospitals are quite familiar with the requirements HIPAA imposes on healthcare entities involved in the exchange of health information, as well as the potential civil and criminal penalties for the disclosure of such information. However, hospitals may not know the broader implication of liability for HIPAA violations in civil lawsuits. Although it is well-established that HIPAA does not create a private right of action, a recent trend in litigation has forced many courts to tackle whether HIPAA may form the basis of a state law claim for negligence per se.
First, it’s important to understand the basic elements of a state negligence per se claim. To succeed on such a claim, the plaintiff must establish that: (1) the defendant violated a statute which sets forth a standard of care; (2) the plaintiff is a member of the class of people the statute is designed to protect; and (3) the plaintiff suffered an injury which the statute is designed to prevent. Essentially, the negligence per se doctrine allows the trier of fact to automatically consider a defendant’s actions negligent by virtue of a statutory violation without employing the traditional “reasonable person” standard. The question of whether HIPAA regulations may determine a standard of care a hospital should follow when handling private information, thereby enabling a private litigant to assert a tort claim, is at the forefront of modern healthcare litigation.
Although the court in G.R.’s case passed the issue to the New Mexico Supreme Court to resolve, several other courts across the country have tackled the issue on the merits. These courts have consistently allowed claims of negligence per se to proceed on the basis of an alleged HIPAA violation. The reasoning behind this trend is largely consistent across the board; as healthcare providers are certainly familiar with HIPAA procedures when it comes to rendering patient care, this same standard is appropriate to adjudge negligence claims involving the disclosure of private information. Although plaintiffs cannot bring a private right of action for an alleged HIPAA violation, courts have had no problem using the statute to impose the healthcare provider’s legal duty of care to the patient. To the chagrin of healthcare providers, the latter has generally been held to be permissible.
The Main Takeaway
G.R.’s case illustrates the continued interplay between HIPAA and state law and, specifically, the potential for lawsuits when plaintiffs use statutory violations as a basis for private tort claims. The path has now been forged for the use of HIPAA violations in a way that was arguably not the intention of federal lawmakers when the statute was created. Accordingly, it is critical that healthcare providers ensure strict HIPAA compliance to avoid not only regulatory enforcement but also individual civil lawsuits, where the price for a mistake can be considerably higher.