If you are a covered entity in any matter involving the federal Health Insurance Portability and Accountability Act of 1996 (HIPPA), you might derive some comfort from knowing that the legislation does not provide for a private right of legal action against you for any alleged wrongdoing under that law.
In other words, HIPPA does not grant license for any private individual to bring a lawsuit against you for damages.
And that is comforting, right? It does serve as a limitation on liability and, thus, as protection that mitigates against business risk.
Nonetheless, no covered entity should be too confident because of the “no private right of action” limitation.
And here’s why: Notwithstanding its bar against private actions, there are still instances in which private litigants can bring suit against health-care entities under the cloak of HIPPA protections . As noted in a recent publication that covers medical news, “HIPPA may establish a standard of care relevant to an action under a different legal theory.”
Here’s an example, spotlighted in a recent federal case in which an appellate tribunal overruled a lower court’s dismissal of a case based on plaintiffs’ lack of standing, The tribunal found that a covered HIPPA entity (a health care group) was akin to a consumer reporting agency under the federal Fair Credit Reporting Act. Because the FCRA allows private rights of action against agencies that breach a duty of care to consumers, the health group by analogy could be sued in a class action matter involving the theft of unencrypted laptops that potentially compromised the personal information of about 840,000 health plan members.
As the writer of the above article notes, outcomes like that might cause covered entities under HIPPA to second guess their perceived liability protections and “move [them] to redouble their compliance efforts.”