Covered entities may have found themselves breathing a sigh of relief following a recent decision from the U.S. Court of Appeals for the 4th Circuit. In Payne v. Taslimi (998 F.3d 648), the court ruled the plaintiff could not sue as an individual for a HIPAA violation.1 However, the ruling is not necessarily a complete win for healthcare organizations.
The Payne decision reaffirmed HIPAA does not create a private right of action for the improper disclosure of individually identifiable health information, explains Monica J. Manzella, JD, CIPP/US, with Baker Donelson in New Orleans. Further, the judges noted every circuit court to consider that question has held that HIPAA does not create such a right (citing decisions from various other circuits).1
In this most recent case, the incarcerated plaintiff asserted the prison physician improperly disclosed his individually identifiable health information related to his HIV diagnosis in violation of HIPAA, as well as the 14th Amendment.
“While the Payne decision made clear its position on the lack of a private right of action under HIPAA, it left open the potential for a cause of action based on a violation of privacy under the 14th Amendment for the improper disclosure of individually identifiable health information,” Manzella says.
She explains the 14th Amendment’s protection hinges on a two-prong test: 1) whether an individual has a “reasonable expectation of privacy” in the information, which entitles it to constitutional privacy protection. If yes, then 2) whether there exists a “compelling governmental interest” in the disclosure of such information that outweighs the privacy interest.
“Focusing on the specific facts before it, the Payne court limited its ruling to the first prong, considering whether the plaintiff had a reasonable expectation to privacy in his HIV status while in a prison medical unit, and found he did not,” Manzella says. “In reaching that conclusion, the court recognized that prison affords individuals a limited expectation of privacy, and further reasoned that whatever privacy exists after that limitation was even further diminished, considering that the medical information at issue concerned the diagnosis of and medication for HIV, which is a communicable disease.”
Since it found the facts did not satisfy the first prong, the court did not consider the second “compelling governmental interest” prong.
Still Some Uncertainty
Considering the narrow holding in Payne, covered entities and employers must be aware that an understanding of how those two prongs will play out in future cases remains murky, Manzella says. Taking the classification of the plaintiff from the category of incarcerated to a non-imprisoned, private individual could be one factor in favor of the reasonableness of that individual’s expectation of privacy.
“But even if the individual in question was an incarcerated individual similar to the plaintiff in Payne, what if the type of individually identifiable health information did not concern a communicable disease, or what if the information included both communicable and incommunicable disease details? Would that change the assessment of the first prong?” Manzella asks. “Moreover, the court did not consider the second ‘compelling governmental interest’ prong, which leaves the question open as to what would constitute such an interest that would override an individual’s reasonable expectation of privacy, assuming one exists, in the particular context of health information.”
HIPAA does not expressly allow for a private cause of action, but rather the enforcement is handled by the Health and Human Services Office for Civil Rights (OCR), notes Svetlana (Lana) Ros, JD, partner with Pashman Stein Walder Hayden in Hackensack, NJ. Violating HIPAA comes with a hefty price tag, including a significant financial penalty to the government, and usually a requirement for a compliance program and its implementation.
Over the years, OCR has not deterred individuals from filing suit against physicians, hospitals, and other covered entities in hopes of receiving a financial payout, Ros says. The Payne case is the most recent example. In its Payne decision, the court did not address whether there was a HIPAA violation; regardless, such a violation occurrence does not automatically give the individual the right to sue, Ros explains.
“This is a positive decision for the healthcare community because it is another case that reaffirms that HIPAA does not create a private right to sue. However, the ruling on the issue of the 14th Amendment is very specific because the court only looked at the issue of privacy of a prisoner,” Ros says.
Still Some Risk
In Payne, the court ruled there was no violation of the 14th Amendment because the prisoner lacked a reasonable expectation of privacy in his HIV status while incarcerated in a prison medical center. However, regarding covered entities living in fear of lawsuits brought by individuals, Ros does not believe they are in the clear.
“While this is a good holding for covered entities — because the court reaffirmed the position that HIPAA does not provide a private cause of action — many states have their own privacy laws, which provide for private causes of action,” Ros explains. “Additionally, the finding of no expectation of privacy granted by the Constitution in this case was very limiting, as it applied to inmates. The majority of the population is not incarcerated and, thus, enjoy a much greater expectation of privacy.”
Most lawsuits brought for violation of an individual’s HIPAA privacy rights also include claims of either state and/or federal privacy rights, Ros notes. She anticipates that plaintiff’s counsel will try to argue a viable cause of action under the 14th Amendment where there has been a disclosure of protected health information and no compelling government interest.
“Thus, it is important for covered entities to ensure that they are vigilant in staying current with HIPAA and state privacy laws and ensuring compliance,” Ros says. “It is also a good idea to consider obtaining and maintaining liability insurance in case the covered entity is sued by an individual or investigated by a government agency for a potential claim of violating HIPAA.”