Synopsis: HIPAA provides no federal cause of action, but alleged HIPAA violations may be remedied in state court under state negligence law.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal statute providing for confidentiality of medical records under certain circumstances. It is administered by the federal Department of Health and Human Services (HHS), which can extract substantial fines for non-compliance. Although HIPAA does not provide a private right to sue for HIPAA violations, employers should be aware that remedies for non-compliance are not necessarily limited to federal agency fines.

A recent decision out of the Arizona Court of Appeals makes this point. In Shepherd v. Costco Wholesale Corp., 246 Ariz. 470 (2019), petition for review pending, the plaintiff alleged that, after he cancelled one of two prescriptions with the pharmacy, he requested that his wife (with whom he was reconciling) pick up the live prescription, and that the pharmacy mistakenly gave both to the wife. Plaintiff alleged as well that the cancelled prescription was embarrassing in nature, and that the pharmacist joked about it with the wife. The wife thereafter divorced the plaintiff, and the plaintiff sued the pharmacist to recover damages under a variety of state law tort theories, including negligence based on a state law duty of care informed by HIPAA.

The trial court granted a motion to dismiss, and the plaintiff appealed.

The state intermediate appellate court upheld the dismissal of all counts in the complaint, save the negligence count.

The appellate court stated that, although the negligence claim did not arise under HIPAA, the parties agreed that the pharmacy owed the plaintiff a duty of care to act as a reasonably prudent pharmacist would under the circumstances. The court then found that the allegations in the complaint for wrongful disclosure of protected information were sufficient to survive a motion to dismiss, and allowed the case to enter discovery and perhaps trial phases.

It is noteworthy that the pharmacy argued that HIPAA preempted state law. The court rejected the preemption argument, reasoning that allowing state law claims in this context does not interfere with government enforcement actions authorized by HIPAA. The court stated: "[A]dditional state law remedies encourage compliance with HIPAA by providing further means for patients to recover for harm suffered due to non-compliance." The court concluded: "[W]e hold HIPAA's requirements may inform the standard of care in state-law negligence actions just as common industry practice may establish an alleged tortfeasor's duty of care."

Lastly, the court, with one judge dissenting, kept alive the related punitive damages claim. Arizona law places no cap on punitive damages, although the United States Constitution forbids excessive punitive damages.

The take-away is — alleged HIPAA violations may be remedied by state lawsuits in addition to HHS fines. Also, stay tuned to state court developments. As noted, a petition for review of the Shepherd intermediate appellate court decision is pending in the Arizona Supreme Court.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.