by Daniel J. Solove
At first blush, it seems impossible for a person to sue for a HIPAA violation. HIPAA lacks a private cause of action. So do many other privacy and data security laws, such as FERPA, the FTC Act, the Gramm-Leach-Bliley Act, among others. That means that these laws don’t provide people with a way to sue when their rights under these laws are violated. Instead, these laws are enforced by agencies.
But wait! Stop the presses!
A recent decision by the Connecticut Supreme Court has concluded that people really can sue for HIPAA violations. As I will explain later, this is not a radical conclusion . . . though the implications of this conclusion could be quite radical and extend far beyond HIPAA.
A number of folks have blogged about this case, but not many have explored the depths of this rabbit hole.
Let’s start with the Connecticut Supreme Court decision, and then follow the White Rabbit. . . .
The Connecticut Supreme Court Invites HIPAA In
In Byrne v. Avery Center for Obstetrics and Gynecology, No. 18904, 2014 WL 5507439 (Conn. Nov. 11, 2014), Bryne received medical care from the Avery Center, while in a personal relationship with Andro Mendoza. Bryne warned the Avery Center not to release her medical records to Mendoza. Mendoza later filed a paternity suit, and the court issued a subpoena to the Avery center to appear with Bryne’s medical records. The Avery center mailed a copy of the medical forms to the court. Byrne claimed that the disclosure of the medical forms was not done properly under HIPAA and that she should have been notified of the subpoena.
The Connecticut Supreme Court held that HIPAA could be used as a basis in establishing the standard of care for negligence. According to the court, “to the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.”
The Common Law in Privacy and Data Security Cases
How can this be? The answer stems from the nature of the common law. The common law provides a myriad of causes of action for plaintiffs to bring in lawsuits. Some of the most common ones in privacy cases include the privacy torts, the breach of confidentiality tort, and negligence.
Breach of Confidentiality
In the medical context, for example, when a physician, hospital, or other entity has a duty of confidentiality and then breaches that duty, a plaintiff can sue under the breach of confidentiality tort. HIPAA comes in not to provide the cause of action – that’s supplied by the common law – but instead to define the standard used by the common law. For breach of confidentiality, courts look to norms, ethical rules, and laws to determine the duties that caregivers owe to patients. HIPAA is a law that establishes duties, and thus serves as a useful source of duties for the common law.
More than ten years ago, Peter Winn wrote a terrific article about this point, Confidentiality in Cyberspace: The HIPAA Privacy Rules and the Common Law, 33 Rutgers L.J. 617 (2002). He argued that state courts would likely use the HIPAA standards to evaluate breach of confidentiality claims. Winn contended that HIPAA could even expand the reach of the breach of confidentiality tort beyond healthcare providers to business associates.
Negligence is becoming more frequently used as a cause of action for privacy and data security violations. Typically, people think of negligence in terms of accidents. The traditional negligence case involves a car accident or a slip and fall. But negligence is quite a broad cause of action. It applies whenever a person owes other individuals a reasonable duty of care and that person breaches that duty of care and causes injury to an individual.
In R.K. v. St. Mary’s Medical Center, 735 S.E.2d 715 (W.Va. 2012), R.K was admitted to St. Mary’s as a psychiatric patient while in divorce proceedings with his estranged wife. While a patient, an employee of the hospital inappropriately accessed his files and shared confidential information with his wife. R.K. sued claiming negligence, among other causes of action. The defendant argued that many of R.K.’s claims were pre-empted by HIPAA.
The West Virginia Supreme Court of Appeals held that not only did HIPAA fail to preempt state law, but HIPAA may provide the standard of care for tort claims including negligence per se (an even more powerful result than regular negligence because negligence per se often gives plaintiffs a rebuttable presumption that the defendant was negligent).
The Byrne court noted that “several courts have found that a HIPAA violation may be used either as the basis for a claim of negligence per se, or that HIPAA may be used to supply the standard of care for other tort claims.”
This conclusion is actually not controversial. These courts are just applying a traditional and well-established common law principle – that statutes and regulation can readily be used to establish duties and standards of care.
Even though HIPAA lacks a private right of action, plaintiffs can still use HIPAA to establish a duty or standard of care under state common law. That means that the requirements of HIPAA can readily become the basis of a lawsuit, as there are many common law causes of action (such as negligence) that can be used to bring lawsuits for privacy and data security incidents.
These implications are radical enough. But why stop here? Let’s journey all the way to Wonderland!
Down the Rabbit Hole
We’ve stepped into the rabbit hole. And there’s room to go down.
That’s because the Connecticut Supreme Court’s reasoning doesn’t just apply to HIPAA – it can also apply to the numerous privacy and data security laws that lack a cause of action.
Et tu FERPA?
For example, consider FERPA, which also lacks a private cause of action. In Gonzaga University v. Doe, 36 U.S. 273 (2002), a student tried to sue a university that improperly disclosed information about him in violation of FERPA. The U.S. Supreme Court held that FERPA lacked a private cause of action, and that student could not sue under FERPA or under 42 U.S.C. § 1983, which allows people to sue for violations of federal law.
FERPA enforcement has oft been criticized as being as ferocious as a miniature poodle with its teeth removed and on tranquilizers.
But there is a way for people to enforce FERPA. Sue! Like HIPAA, FERPA can serve as a source of duties and standards of care in the common law.
Let’s go further down the rabbit hole.
Other privacy and data security laws can serve as sources of common law duties and standards of care, regardless of whether they have a private cause of action. The FTC Act, for example, prohibits “unfair” and “deceptive” trade practices. The FTC has interpreted the Act to protect against privacy and data security violations, and has brought quite an extensive number of enforcement actions. For more detail about these actions, see my article. The FTC and the New Common Law of Privacy, 114 Columbia Law Review 583 (2014) (with Woodrow Hartzog). The FTC’s cases might be used as the basis for a duty or standard of care in the common law for privacy and data security.
The Children’s Online Privacy Protection Act (COPPA) provides privacy protections for data gathered by websites about children under 13. It lacks a private right of action, but it too could be used to establish common law duties and standards of care. Unlike HIPAA, FERPA, and many other privacy laws, COPPA preempts state law, and this fact might stop it from being used in this way.
The Gramm-Leach-Bliley Act (GLBA), which imposes privacy and data security requirements on financial institutions, could also be a source of duties and standards of care in the common law. So could other laws without a private right of action – whether federal or state.
The Rabbit Hole Goes Deeper
There’s no reason why the principle of looking to statutes to help establish duties and standards of care in the common law cannot be applied to statutes that have their own causes of action, such as the Electronic Communications Privacy Act (ECPA), the Cable Communications Policy Act (CCPA). The common law could expand the ways in which an entity could be liable beyond the contours of the particular cause of action.
For example, one of the major limitations of the Computer Fraud and Abuse Act (CFAA), which prohibits unlawful access to another’s computer, is that there is a $5000 threshold to receive damages. That means that plaintiffs will not be able to receive compensation when another person or entity unlawfully accesses their computer unless they can prove a “loss aggregating at least $5000 in value” This has made it very hard for plaintiffs to proceed.
But this threshold does not exist in the common law. Common law torts could be used to bring a suit, and the CFAA could be used to establish a duty.
Even Deeper . . .
We’re not to the bottom yet.
When finding duties in the common law, courts will often look beyond the law of their particular state to see what other states are doing. If other state laws or common law cases establish duties or standards of care, then courts can use these to establish a duty or standard of care in their own state.
Deeper Still . . .
You think we hit bottom? Hardly a chance!
When looking for duties and standards of care in the common law, courts will also look beyond law to various ethical rules and other professional codes of conduct – even to widely-followed norms.
Consider McCormick v. England, 494 S.E.2d 431 (S.C. Ct. App. 1997), where the court recognized a duty of confidentiality for physicians. The court stated: “In the absence of express legislation, courts have found the basis for a right of action for wrongful disclosure in four main sources:
(1) state physician licensing statutes, (2) evidentiary rules and privileged communication statutes which prohibit a physician from testifying in judicial proceedings, (3) common law principles of trust, and (4) the Hippocratic Oath and principles of medical ethics which proscribe the revelation of patient confidences.”
For privacy and data security, there are a number of industry codes such as the Payment Card Industry’s Data Security Standard (PCI-DSS). Perhaps this could be used to establish common law duties and standard of care.
So could other codes, such as advertising industry codes regarding privacy and data security (NAI, DMA, etc.). So could the widely-articulated and adopted Fair Information Practice Principles (FIPPs).
Nearly anything can be used as evidence of a common law duty or standard of care . . . even an oath from antiquity.
Thus far, courts have barely traveled down the rabbit hole. Only a few cases have been decided drawing from other sources to find duties regarding privacy and data security in the common law. But the rabbit hole runs deep, and we’ll have to wait and see how far courts will follow the White Rabbit.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 860,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter