Skip to main content
A Better Partnership


Jan 2006
January 01, 2006

Court Refuses to Dismiss Claims of Negligence and Invasion of Privacy Based on HIPAA Duty to Protect Health Information

HIPAA does not give an individual the right to sue when a covered entity violates HIPAA. A U.S. District Court Judge in California, however, has recently concluded that a HIPAA violation could form the basis for a claim of negligence and invasion of privacy. Many of us have speculated that this would happen one day, and now it has.

In the case Poli v. Mountain Valleys Health Center et al, Case No. 2:05-2015-GEB-KJM, Mr. Poli was an employee of Mountain Valleys Health Center. In response to a police investigation about alleged drug abuse by Mr. Poli, Mountain Valleys Health Center called Mr. Poli's pharmacy, Rite Aid; obtained his prescription drug records without an authorization; and ultimately terminated his employment. Although it's not clear from the decision, it seems that Mountain Valleys Health Center shared Mr. Poli's prescription drug records with the police even though the police did not have a subpoena.

Mr. Poli sued both Mountain Valleys Health Center and Rite Aid pharmacy, alleging a violation of public policy for failure to comply with HIPAA, negligence, and invasion of privacy. Although the negligence and invasion of privacy claims are not strictly HIPAA claims, they are premised on the legal protections provided under HIPAA. The negligence claim asserts that the defendants breached a duty to protect the plaintiff's medical information, and the invasion of privacy claim asserts that the plaintiff had a legally protected privacy interest in his medical records.

Because HIPAA does not give individuals the right to sue when a covered entity fails to comply with HIPAA, the court dismissed the violation of public policy claim. It refused, however, to dismiss the negligence and the invasion of privacy claims. As a result, Mountain Valleys Health Center and Rite Aid will have to defend the claims on their merits.

This case demonstrates how important it is to follow the HIPAA privacy rules when faced with a request for medical information. Had Mountain Valleys and Rite Aid insisted that the police obtain a subpoena or some other court order before releasing information, they may have been able to avoid this legal entanglement. Remember, too, that compliance requires not only appropriate policies and procedures but also proper training. I'm sure that Rite Aid had policies and procedures requiring a subpoena or authorization, but the employee who released the prescription drug records seems to have been unaware of these policies.

If you have any questions about HIPAA security or privacy issues, please contact Norbert F. Kugele.

NOTICE. Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you.

By clicking the ‘ACCEPT’ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.

Please click the ‘ACCEPT’ button if you understand and accept the foregoing statement and wish to proceed.



+ -