North Carolina appeals court allows new use of HIPAA in lawsuit
■ The patient sued the physician for negligence to get around a federal ruling against direct HIPAA privacy lawsuits.
By Amy Lynn Sorrel — Posted March 12, 2007
A North Carolina appeals court ruling suggests an alternate route patients may take to sue physicians for HIPAA violations, in spite of a 2006 federal decision that essentially closed the door on lawsuits brought directly under the privacy statute, experts warn.
The plaintiff in the case, Heather D. Acosta, was an employee and a patient at a psychiatric clinic, according to court records. She sued the clinic's owner, David R. Faber II, MD, in May 2005 for giving his medical records access password to an office manager. That person later disclosed Acosta's confidential information to a third party without her consent.
But rather than filing suit against Dr. Faber directly under HIPAA, Acosta sued him for negligence for giving the password to unauthorized personnel. The lawsuit accuses Dr. Faber of breaching his duty under the privacy regulations established under HIPAA and the rules adopted at the hospital system where the medical records are stored. Acosta alleges that he should have known that his negligence would cause her emotional distress.
A trial court dismissed the lawsuit, saying HIPAA did not create a private right of action. But the North Carolina Court of Appeals in December 2006 reversed that ruling. The appeals court said the patient was not making her claim under HIPAA; rather, she was using the privacy statute to establish the standard of care that Dr. Faber should have followed.
"Plaintiff cites to HIPAA as evidence of the appropriate standard of care, a necessary element of negligence," the opinion states. "Since plaintiff made no HIPAA claim, HIPAA is inapplicable beyond providing evidence of the duty of care owed by Dr. Faber with regards to the privacy of plaintiff's medical records." The court allowed the lawsuit to go forward. No trial date has been set.
Starting a new trend?
Legal experts could not immediately recall any similar rulings and said the North Carolina decision may set a precedent for other plaintiff attorneys to follow when filing privacy cases.
"What this case does is substitute the HIPAA standard for a jury's assessment of whether the doctor exercised reasonable care to prevent whatever was going to happen," said Philip H. Lebowitz, a HIPAA lawyer and partner with Philadelphia-based Duane Morris LLP.
He said the legal tactic is one that plaintiff attorneys likely will pick up, particularly in light of a November 2006 ruling by the 5th U.S. Circuit Court of Appeals. That decision was the first at the federal level to affirm that patients cannot sue directly under the statute. But judges intimated that patients could continue to bring privacy claims in state court.
Health lawyer Gregory D. Frost said the North Carolina ruling may be a first step toward using a HIPAA violation as the basis of a lawsuit.
He said the appeals court assumed that HIPAA set the standard for negligent conduct. But other courts, depending on states' legal standards, still could question if the federal regulation was intended to prevent a specific harm to patients, noted Frost, a HIPAA expert with Adams and Reese LLP in Baton Rouge, La.
"It's fair to say the original statute was never meant to set a standard that negligence was to be judged against," he said. "Ultimately we are going to get there, because the people these regulations are designed to protect are the same people who are injured when they are not followed. But it's something that courts might quibble over."
The plaintiff attorney in the case, Larry C. Economos, insisted that HIPAA clearly sets out a duty by which doctors must abide and a baseline for negligent conduct. "This was a doctor who had a duty not to violate [Acosta's] privacy," the Greenville, N.C. attorney said.
The appeals court also rejected the doctor's claim that the patient was essentially filing a medical liability case, Economos said. Judges found that providing the password qualified as an administrative action, not one involving direct patient care, according to the ruling.
Dr. Faber's attorneys declined to comment for the story.
Doctors who might have let their guard down thinking patients cannot sue them under HIPAA need to make sure their policies and procedures for authorized medical records access are tight, legal experts warn.
"The likelihood that individuals may use HIPAA in this way to seek redress warrants people's attention," Lebowitz said.