HIPAA does not give an individual the right to sue when a covered entity violates HIPAA. A U.S. District Court Judge in California, however, has recently concluded that a HIPAA violation could form the basis for a claim of negligence and invasion of privacy. Many of us have speculated that this would happen one day, and now it has.
In the case Poli v. Mountain Valleys Health Center et al, Case No. 2:05-2015-GEB-KJM, Mr. Poli was an employee of Mountain Valleys Health Center. In response to a police investigation about alleged drug abuse by Mr. Poli, Mountain Valleys Health Center called Mr. Poli's pharmacy, Rite Aid; obtained his prescription drug records without an authorization; and ultimately terminated his employment. Although it's not clear from the decision, it seems that Mountain Valleys Health Center shared Mr. Poli's prescription drug records with the police even though the police did not have a subpoena.
Mr. Poli sued both Mountain Valleys Health Center and Rite Aid pharmacy, alleging a violation of public policy for failure to comply with HIPAA, negligence, and invasion of privacy. Although the negligence and invasion of privacy claims are not strictly HIPAA claims, they are premised on the legal protections provided under HIPAA. The negligence claim asserts that the defendants breached a duty to protect the plaintiff's medical information, and the invasion of privacy claim asserts that the plaintiff had a legally protected privacy interest in his medical records.
Because HIPAA does not give individuals the right to sue when a covered entity fails to comply with HIPAA, the court dismissed the violation of public policy claim. It refused, however, to dismiss the negligence and the invasion of privacy claims. As a result, Mountain Valleys Health Center and Rite Aid will have to defend the claims on their merits.
This case demonstrates how important it is to follow the HIPAA privacy rules when faced with a request for medical information. Had Mountain Valleys and Rite Aid insisted that the police obtain a subpoena or some other court order before releasing information, they may have been able to avoid this legal entanglement. Remember, too, that compliance requires not only appropriate policies and procedures but also proper training. I'm sure that Rite Aid had policies and procedures requiring a subpoena or authorization, but the employee who released the prescription drug records seems to have been unaware of these policies.
If you have any questions about HIPAA security or privacy issues, please contact Norbert F. Kugele.