Is there a private right of action to enforce HIPAA? The answer is now more definitive than ever: No.
This week, the Fifth Circuit Court of Appeals — the first federal appeals court to decide this issue — went along with every federal district court that has considered the issue (not to mention the regs themselves, which are pretty clear on the subject). (See the decision here. See HIPAA regs and more on OCR’s HIPAA page here.)
Why has the plaintiff bar continued to assert a private right of action under HIPAA? First of all, why not? Throw it all against the wall and see what sticks. Second, if it were successful, it would bootstrap a state law claim into Federal court, which may be beneficial to the plaintiff. (In Acara v. Banks, the 5th Circuit decision handed down November 13, the remaining state law claims were dismissed because there was no diversity jurisdiction.) Third, from a broader perspective, one function of the private lawsuit is to effect social change.
Now that the government seems poised to actually enforce HIPAA, the third reason may go by the boards (I know, I know . . . we still need to wait and see). If enforcement is truly stepped up for the benefit of the public, perhaps the plaintiff bar can make peace with its inability to rely on the first two reasons for pursuing the private right of action.
In any event, those within the community of "covered entities" under HIPAA need to get with the program and come into full compliance, and I have seen a renewed interest in HIPAA compliance audits of late.
— David Harlow