HIPAA Briefing: Can Patients Sue Labs for Privacy Breaches?

Violating HIPAA restrictions subjects your lab to fines and other penalties dished out by the HHS Office of Civil Rights (OCR) and other regulators. But can the individual victims whose personal health information you compromise also sue you for damages under the law? It's a question that the HIPAA law does not expressly address. But a new federal case targeting LabCorp sheds light on this crucial question.

Spoiler Alert

The court confirmed what previous courts have said before, namely, that patients have no private right of action under HIPAA.

The Situation
The case began when a LabCorp technician instructed a Washington, D.C., hospital patient to key her private medical information into an on-premises computer intake station.  The patient complained that the intake station was within eye and earshot of the adjacent station and snapped off photographs of the two stations with her smart phone just in case she needed evidence to document her privacy complaint later on. After the OCR and DC Office of Human Rights rejected her privacy claim, the patient decided to take LabCorp to court.

The Ruling
LabCorp claimed that the patient had no right to sue for a HIPAA violation. Or, to state it in legal terms, LabCorp argued that even if the adjacent intake stations did violate HIPAA rules, the patient had no legal case because the HIPAA statute neither expressly nor implicitly grants individuals a "private cause of action," i.e., the right to sue a provider in civil court for money damages. The court agreed and dismissed the case without a trial [Thomas v. LabCorp, U.S. District Court for the District of Columbia, No. 18-591 (RC), June 25, 2018].

The Law
The Thomas ruling is in line with previous cases ruling against individual plaintiffs seeking to sue providers for money damages for HIPAA violations. In other words, any penalties to be imposed on providers under HIPAA must come from the regulators, not the individual victims.

The First Caveat: Risk of Damages Under State Privacy Laws
Of course, there's more to medical privacy than HIPAA. Many states have adopted their own privacy laws to protect patients, including mandatory breach notification. In addition to providing for stiff penalties, some states provide broader remedies to individual victims, including a private cause of action for failure to provide timely notification of a privacy breach. Thus, while the doors to federal court may be barred, individuals victimized by lab privacy snafus may be able to sue and win big damages in state court.

The Second Caveat: Risk of Collateral Liability
The other thing labs need to keep in mind is how committing a HIPAA breach can heighten liability risks under other laws. For example, failure to properly protect PHI can serve as powerful evidence in a negligence, malpractice or consumer fraud case against a lab.

3 TAKEAWAYS

1. Patients can't sue labs for HIPAA violations
2. Patients may be able to sue you for state privacy violations
3. HIPAA violations may make it easier for patients to sue for negligence and other violations