4th Circuit Holds No Private Cause of Action Exists Under HIPAA: Payne v Taslimi
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is federal law that required creation of national standards for the protection of sensitive patient health information and to prevent disclosure of such information without the consent or knowledge of the patient. The text of the law is codified at 42 U.S.C. § 1320d to 42 U.S.C. § 1320d-9. HIPAA covers a number of different subjects, but the primary focus is privacy related to health information. Specifically, HIPAA provides that “[a] person who knowingly…discloses individually identifiable health information to another person” without authorization shall be punished through fines, imprisonment or both. 42 U.S.C. § 1320d-6(a)(3), (b). HIPAA applies to “covered entities,” including (1) health plans, such as health insurance companies; (2) health care clearinghouses like billing companies; and (3) health care providers. HIPAA created federal regulations to remedy the lack of medical privacy in the healthcare industry.
An important question analyzed by many federal circuit courts is whether HIPAA creates a private right of action to enforce the substantive statutory prohibitions. Every Circuit Court to consider this question has determined that HIPAA does not create a private right to sue. HIPAA does not specifically create individual rights for persons affected by alleged medical privacy violations, and such persons cannot bring a lawsuit against the party claimed to be responsible for the privacy violations. The most recent decision comes from the United States Court of Appeals for the Fourth Circuit in Payne v. Taslimi. 998 F.3d 648 (4th Cir. 2021). The Fourth Circuit Court held that HIPAA does not create a private cause of action after it upheld the dismissal of a lawsuit brought by a pro se prisoner who claimed that HIPAA was violated after his protected health information was disclosed while in prison.
The Lawsuit
In Payne, Christopher Payne, a pro se prisoner was approached by Dr. Jahal Taslimi while in the medical unit and told that he had not taken his HIV medications that day. Payne described that the medical unit was like an “’open dorm, so other staff, offenders and civilians were close enough to overhear Dr. Taslimi’s statement.” Payne alleged that some of the other people who were nearby stopped talking and looked over at him, and he claimed that other prison staff and inmates learned that he was on HIV medication.
The lawsuit asserted, among other claims, that the doctor’s conduct violated his Fourteenth Amendment right to privacy and HIPAA pursuant to 42 U.S.C. § 1983. 42 U.S.C. § 1983 is the statute enacted by Congress that allows for lawsuits to address violations of constitutional rights. The District Court dismissed Payne’s Complaint for failure to state a claim, following which Payne appealed.
The Fourth Circuit Court of Appeals’ Ruling
The Fourth Circuit upheld the dismissal of Payne’s claims holding that he had no constitutional right to privacy while in prison and that Payne did not have a private right to sue that could be enforced under Section 1983. With specific regard to the right to sue for claimed violation of HIPAA, the Court, quoting Planned Parenthood S. Atl. v Baker, 941 F.3d 687, 696 (4th Cir. 2019), held that “[e]ven if Dr. Taslimi violated this provision, a plaintiff seeking remedy under § 1983 ‘must assert the violation of federal right, not merely a violation of federal law.’” For Payne to recover under HIPAA, the statute must create a private right to sue that can be enforced under § 1983. The Court declined to stray from its “sister circuits” and specifically noted that HIPAA does not create a private right to sue.
The Fourth Circuit referenced the Second Circuit’s decision in Meadows v. United Services, Inc., 963 F.3d 240 (2nd Cir. 2020), which analyzed the language within 42 U.S.C. § 1320d-1 to 42 U.S.C. § 1320d-7, and determined that “the statute does not expressly create a private cause of action for individuals to enforce” the prohibition against disclosure of protected health information without consent. The Circuit Courts have also examined whether there is any implied private right of action within the statute. HIPAA focuses on regulating persons with access to medical information rather than conferring privacy rights on a specific class of persons. Acara v Banks, 470 F.3d 569, 571 (5th Cir. 2006). “Statutes that focus on the person regulated rather than the individuals protected create ‘no implication of an intent to confer rights on a particular class of persons.’” Alexander v. Sandoval, 532 U.S. 275 (2001). In other words, courts disfavor implied causes of action where Congress has provided other means for enforcement of a particular statute. That HIPAA does not focus on the rights of individual patients and does not confer any individual privacy rights to individual patients were factors against finding an implied private right of action.
In addition, HIPAA provides for civil and criminal penalties to be imposed for improper disclosure of medical information, but limits enforcement to the Secretary of the Department of Health and Human Services. 42 U.S.C. § 1320d-1, d-3, d-5, d-6. The Circuit Courts have reasoned that delegation of enforcement clearly indicates that Congress did not intend to create a private remedy, nor did it intend to allow for private enforcement. Id.; see also Acara, 470 F.3d at 571.
Ultimately, despite the depth and complexity of the HIPAA statute and its application, the Fourth Circuit’s decision in Payne further confirms that HIPAA does not confer individual privacy rights and does not provide a private cause of action for individuals who believe their rights have been violated under the statutory scheme. As a result, only the Department of Health and Human Services and state Attorneys General have the ability to enforce violations under HIPAA. Further, it has been confirmed that courts cannot create a private right of action in a statute where one does not exist.
North Carolina Courts have also examined this same issue and have determined that, under North Carolina law, there are no additional privacy rights related to disclosure of health information that are actionable in a civil lawsuit. However, while North Carolina courts may not recognize a private right of action, it has been held that the HIPAA Privacy Act may be used as the “standard of care” for claims that relate to a provider’s obligations to maintain the privacy of confidential and protected health information. For instance, the North Carolina Court of Appeals held that allegations of a HIPAA violation were a sufficient basis to support a claim for negligent infliction of emotional distress. Acosta v. Byrum, 180 N.C. App. 562, 638 S.E.2d 246 (2006). The plaintiff in Acosta did not sue for HIPAA violation, but instead used HIPAA as the standard of care to support her claim of negligent infliction of emotional distress. Regardless of this holding, it is worth noting that in order to succeed with a claim for negligent infliction of emotional distress, there must be more than a showing of a violation of HIPAA. Instead, a plaintiff would need to show “severe emotional distress,” which is generally a diagnosable psychiatric condition. Thus, if the alleged HIPAA violation does not result in a diagnosable condition requiring some medical treatment, the claim is not likely to be successful. Further, it must be shown that the claimed injury was a reasonably foreseeable result of the alleged HIPAA violation.
HIPAA is a complicated federal law that can often be problematic to interpret and follow. Also, despite the fact that no private right of action is created under HIPAA, the statutory scheme does require specific obligations related to the protection of private health information. Therefore, it is important for “covered entities” to examine their procedures and practices to ensure compliance with HIPAA, lest they become the subject of an action over a violation.