HealthBlawg

David Harlow's Health Care Law Blog

Federal appeals court: No private right of action to enforce HIPAA

Is there a private right of action to enforce HIPAA?  The answer is now more definitive than ever: No. 

This week, the Fifth Circuit Court of Appeals — the first federal appeals court to decide this issue — went along with every federal district court that has considered the issue (not to mention the regs themselves, which are pretty clear on the subject).  (See the decision here.  See HIPAA regs and more on OCR’s HIPAA page here.)

Why has the plaintiff bar continued to assert a private right of action under HIPAA?  First of all, why not?  Throw it all against the wall and see what sticks. Second, if it were successful, it would bootstrap a state law claim into Federal court, which may be beneficial to the plaintiff.  (In Acara v. Banks, the 5th Circuit decision handed down November 13, the remaining state law claims were dismissed because there was no diversity jurisdiction.)  Third, from a broader perspective, one function of the private lawsuit is to effect social change.

Now that the government seems poised to actually enforce HIPAA, the third reason may go by the boards (I know, I know . . . we still need to wait and see).  If enforcement is truly stepped up for the benefit of the public, perhaps the plaintiff bar can make peace with its inability to rely on the first two reasons for pursuing the private right of action. 

In any event, those within the community of "covered entities" under HIPAA need to get with the program and come into full compliance, and I have seen a renewed interest in HIPAA compliance audits of late.

— David Harlow

you might also like:

  1. HIPAA: Liability to Private Parties for Violations

  2. Stolen Laptops Class Action Gets New Legs

  3. Federal appeals court upholds Wal-Mart win over Maryland "fair share" employee health benefits law

Comments

  1. Thank you for this information, however a private right of action was allowed to go forward using the HIPAA Privacy rule as the standard that health care providers cannot fall below in the State of North Carolina by the Appellate Court in that State.

    Take a look at Acosta v. Byrum, the Appellate Court allowed an indivivual to sustain a cause of action on negligent infiction of emotional distress.

    Also see the State of Oregon wherein the AG in that State facilitated the settlement of class action lawsuit, see the OR AG’s web site for this information against Providence Health.

    More like this is to come!!!!