Even More At Stake Than Meets The Eye With Potential HIPAA Violations

by Fisher Phillips

Fisher Phillips

A federal court in New Mexico recently declined to dismiss tort claims asserted by a registered nurse against her employer, a government-run hospital, where she sought and obtained treatment for a brutal sexual assault. In denying the motion to dismiss, the court effectively rejected the federal government’s attempt to escape claims based on invasion of privacy for the disclosure of detailed information regarding the assault (G.R. v. United States).

However, the court withheld ruling on the government’s motion to dismiss plaintiff’s claim for “negligence per se” based on the violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Instead, the court certified for the New Mexico Supreme Court the question of whether the claim fails, as there is no private right of action afforded by HIPAA. This case serves as a valuable reminder for hospitals of the broad implication of liability for disclosing private information, including the potential impact of HIPAA violations beyond mere regulatory enforcement.  

Factual Background: Alleged Disclosure Of Treatment Leads To Court Battle

The plaintiff (who filed the suit using her initials G.R.) sued her employer, Gallup Indian Medical Center, for the dissemination of information relating to treatment she received there after she fell victim to a physical and sexual assault. Her lawsuit claims the hospital disclosed private details of the assault and injuries to coworkers who were not her direct care providers. G.R. alleged the disclosure caused further trauma and humiliation, preventing her return to work, and ultimately causing her to leave her job and move away. In response, she brought tort claims for public disclosure of private facts, intentional infliction of emotional distress, negligence, and negligence per se. The claim for negligence per se – a theory whereby an act is considered automatically negligent because it violates an existing statutory or regulatory scheme – was premised on the hospital’s alleged HIPAA violation.

The hospital moved to dismiss G.R.’s claims for negligence, negligence per se, and public disclosure of private facts, but the court permitted the claims for negligence and public disclosure to proceed. It found no legitimate public interest was served in publicizing the nurse’s sexual assault, and therefore greenlighted her privacy claim. In sum, the court did not take lightly the government’s attempt to avoid liability for disclosure of private information. It declined to rule on the negligence per se claim, however, and specifically avoided answering the question of whether a HIPAA violation may legally set the standard of care for such a cause of action.

 Tort Liability By Virtue Of A HIPAA Violation?

As G.R.’s case illustrates, there could be serious repercussions for an employer’s improper disclosure of sensitive and private information, especially if the information is health-related. Particularly significant are the questions raised concerning the potential HIPAA implications if a hospital discloses an employee’s health information. 

Hospitals are quite familiar with the requirements HIPAA imposes on healthcare entities involved in the exchange of health information, as well as the potential civil and criminal penalties for the improper handling or disclosure of such information. However, hospitals may not know the broader implication of liability for HIPAA violations in civil lawsuits. Although it is well-established that HIPAA does not create a private right of action, a recent trend in litigation has forced many courts to tackle whether HIPAA may form the basis of a state law claim for negligence per se.

First, it’s important to understand the basic elements of a state negligence per se claim. Although the specific requirements vary from state to state, to succeed on such a claim, the plaintiff must generally establish that: (1) the defendant violated a statute which sets forth a standard of care; (2) the plaintiff is a member of the class of people the statute is designed to protect; and (3) the plaintiff suffered an injury which the statute is designed to prevent. Essentially, the negligence per se doctrine allows the trier of fact to automatically consider a defendant’s actions negligent by virtue of a statutory violation without employing the traditional “reasonable person” standard. Accordingly, the question of whether HIPAA regulations may determine a standard of care a hospital should follow when handling private information, thereby enabling a private litigant to assert a tort claim, is at the forefront of modern healthcare litigation.

Although the court in G.R.’s case passed the issue to the New Mexico Supreme Court to resolve, several other courts across the country have already tackled the issue on the merits. Unfortunately, these courts have consistently allowed claims of negligence per se to proceed on the basis of an alleged HIPAA violation. The reasoning behind this trend is largely consistent across the board; as healthcare providers are certainly familiar with HIPAA procedures when it comes to rendering patient care, this same standard of care is often used when adjudging negligence claims involving the disclosure of private information.

Although plaintiffs cannot bring a private right of action for an alleged HIPAA violation, courts have had no problem using the statute to simply establish the healthcare provider’s legal duty of care to the patient. To the chagrin of healthcare providers, the latter has generally been held to be permissible. Moreover, according to the decisions rendered thus far, the availability of a negligence per se claim based on a violation of HIPAA does not preclude, conflict, or complicate a healthcare provider’s compliance with HIPAA regulations, thereby eliminating a preemption argument.

The Main Takeaway

The G.R. v United States case illustrates the continued interplay between HIPAA and state law and, specifically, the potential for lawsuits when plaintiffs use statutory violations as a basis for private tort claims. The path has now been forged for the use of HIPAA violations in a way that was arguably not the intention of federal lawmakers when the statute was created.

As of today, the absence of a private right of action under HIPAA is not necessarily a bar to using evidence of a privacy breach under the statute to support a state tort claim. Accordingly, it is critical that healthcare providers ensure strict HIPAA compliance to avoid not only regulatory enforcement but also individual civil lawsuits, where the price for a mistake can be considerably higher.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fisher Phillips | Attorney Advertising

Written by:

Fisher Phillips

Fisher Phillips on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.