HIPAA and the right to Sue

It has been generally understood that HIPAA has not permitted individuals impacted by a Breach to sue for damages. Some Covered Entities have even relied on this “shelter from non-governmental litigation” in their risk management.

However, the recent ruling in Emily Byrne vs. Avery Center for Obstetrics and Gynecology (by the Connecticut Supreme Court (the “Court”) may alter this legal landscape. Specifically the Court ruled that a state court negligence suit with HIPAA compliance as the metric brought by Ms. Byrne should be heard by a lower court as her claims under state law were not preempted by HIPAA. The suit is scheduled to be heard in 2015. The concept of HIPAA as the “compliance metric” or “standard of care” for negligence suits continues to gain momentum.

There are a number of things to take-away from the underlying suit. These include but may not be limited to:

  1. The venues for these types of cases are state courts as there still isn’t an ability to file a private federal suit under HIPAA.
  2. The inability to be privately sued for a Breach is not a viable risk management approach.
  3. The alleged negligence was caused by poor process and inadequate staff knowledge.
  4. At least for now, you can add the possibility of lawsuits in state courts with HIPAA as the “metric” to the growing list of possible consequences of a Breach.

Feel free to contact me with any comments or questions. I’m here to help.

Remember that this is not a legal opinion.