POSTED BY ELIZABETH F. HODGE ON APRIL 16, 2013
Healthcare providers, other covered entities under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), and now HIPAA business associates, should be aware that patients who believe that their protected health information (PHI) has been improperly accessed are suing those required to protect the privacy and security of PHI based on some novel legal theories. HIPAA does not provide individuals with a private cause of action, therefore, plaintiffs must try to incorporate allegations of violations of the HIPAA Privacy and Security Rules into existing state law and federal law causes of action.
In a recent class action lawsuit filed in federal court in Florida the lead plaintiff alleges state law claims for breach of contract, breach of implied contract, unjust enrichment, and breach of fiduciary duty. All of the claims are based on the alleged failure of a hospital to implement safeguards to protect the PHI of patients as required by the HIPAA Security Rule. This allegedly resulted in a breach of patients' PHI by two employees of the hospital who were subsequently arrested and convicted of conspiracy and wrongful disclosure of individually identifiable health information.
The plaintiff, who was a patient at the hospital, claims that he paid for healthcare services, including privacy protections that the hospital "contracted" to provide. The plaintiff specifically refers to statements in the HIPAA Notice of Privacy Practices, the Florida Patient's Bill of Rights and Responsibilities, and the hospital's Confidentiality Policy. These documents were all posted on the hospital's website. The plaintiff alleges that he did not receive those privacy protections, thereby incurring damages in the form of the diminished value of his paid-for healthcare services. The plaintiff asks the court to award, among other relief, damages in an amount equal to the difference between the price plaintiff paid for the hospital's promise to secure PHI and the actual services rendered by the hospital, i.e., healthcare services devoid of paid-for protection.