Case of the Month: Patients Can’t Sue Labs for Privacy Breaches, Federal Court Confirms

The HIPAA law sets out civil and criminal penalties that can be imposed on labs (and other providers) that commit privacy violations. But one thing the HIPAA law does not specify is whether an individual victim can directly sue the lab for the harm he/she suffers as a result of its privacy breach. A brand new federal case targeting one of the nation's biggest lab companies addresses this crucial question.

The Situation
The case began when a LabCorp technician instructed a Washington, D.C., hospital patient to use an on-premises computer intake station to provide her medical information. The patient complained that the intake station was within eye and earshot of the adjacent station and snapped off photographs of the two stations with her smart phone. After the HHS Office of Civil Rights and DC Office of Human Rights rejected her privacy claim, the patient resolved to take LabCorp to court.

The Ruling
LabCorp claimed that the patient had no right to sue for a HIPAA violation. Or, to state it in legal terms, LabCorp argued that even if the adjacent intake stations did violate HIPAA rules, the patient had no legal case because the HIPAA statute neither expressly nor implicitly grants individuals a "private cause of action, i.e., the right to sue a provider in civil court for a violation. The court agreed and dismissed the case without a trial [Thomas v. LabCorp, U.S. District Court for the District of Columbia, No. 18-591 (RC), June 25, 2018].

The Law
The Thomas ruling is 100% in line with prior cases ruling against individual plaintiffs seeking to sue providers for HIPAA violations. In other words, any penalties to be handed out under HIPAA must come from the regulators, not the individual victims.

The First Caveat: Risk of Damages Under State Privacy Laws
There's more to medical privacy than HIPAA. Many states have adopted their own privacy laws to protect patients, including mandatory breach notification. In addition to providing for stiff penalties, some states provide broader remedies to individual victims, including a private cause of action for failure to provide timely notification of a privacy breach. Thus, while the doors to federal court may be barred, individuals victimized by lab privacy snafus may be able to sue and win big damages in state court.

The Second Caveat: Risk of Collateral Liability
The other thing labs need to keep in mind is how committing a HIPAA breach can heighten liability risks under other laws. For example, failure to properly protect PHI can serve as powerful evidence in a negligence, malpractice or consumer fraud case against a lab.