State Law Claims Based on HIPAA Guideline Violations Are Not Preempted by HIPAA
03.25.2015| By Gavrila A. Brotz
Though the Health Insurance Portability and Accountability Act of 1996 (HIPAA) precludes a private right of action in the event of a breach of confidentiality, recent decisions have found that claims based on such breaches under state laws are not preempted by HIPAA, even where failure to comply with HIPAA guidelines is a basis for such claims. In Byrne v. Avery Center, the Connecticut Supreme Court recently cited a growing body of case law in holding that common law claims for negligence were not preempted by HIPAA, even where violations of HIPAA’s protections were alleged in support of those claims. In 2012’s R.K. v. St. Mary’s Medical Center, The Supreme Court of Appeals of West Virginia noted "the absence of a plethora of precedent on the issue of HIPAA preemption of state-law claims" before arriving at a similar result. The confidential nature of the protected health information disclosed in both Byrne and R.K. was dramatic. The information disclosed related to the patients’ estranged partners, causing emotional distress through the disclosure of, respectively, a pregnancy and psychiatric records. Following the disclosures, the patients sued the health care facilities for negligence and infliction of emotional distress. In each case, the defendant facilities argued that disclosure of protected health information was governed by HIPAA, which provides no private right of action, and which "supersede[s] any contrary provision of State law."
However, both courts held that state law claims allowing for a private right of action are not "contrary" to HIPAA because it is possible to comply with both HIPAA and state law private rights of action for disclosures of confidential information. Neither does the allowance of a private cause of action create an "obstacle" to HIPAA’s goals of establishing disincentives to wrongfully disclose a patient’s health care record. As the Byrne court noted, state causes of action are not ordinarily preempted solely because they impose liability over and above that authorized by federal law. Though HIPAA provides criminal penalties for such disclosures, these decisions found that this remedy does not occupy the same field of relief of those provided by private causes of action.
While recognizing that a plaintiff cannot assert an express cause of action for a HIPAA violation, the Connecticut and West Virginia Supreme Courts held that violations of HIPAA can be used as evidence of the appropriate standard of care that was not met to support negligence claims. Reversing a trial court decision, the Connecticut Supreme Court in Byrne determined that "a complaint alleging a violation of a federal statute as an element of a state cause of action, when Congress has determined that there should be no private, federal cause of action for the violation," is not necessarily preempted by that federal statute. Rather, the Byrne court relied on the increasing number of federal and sister state court decisions holding that a HIPAA violation may be used either as the basis for a claim or as the standard of care to support other tort claims.