While it is true that federal laws related to privacy regarding medical records and treatment (“HIPAA”) imposes universal standards on covered entities who provide medical care and treatment to protect a patient’s privacy, HIPAA does not explicitly create an individual right of action for patients affected by the privacy violation. This has been an impediment to bringing lawsuits against these medical providers where a clear HIPAA violation has occurred. It has been stated many times that an individual does not own a private right of action to bring her own complaint against a medical provider who fails to comply with HIPAA and releases her private medical information. Rather, this individual must file a complaint with the Department of Health and Human Services or the appropriate Georgia authority such as the Georgia Attorney General’s office or the Georgia Board of Medicine. Usually if the federal or state agency decides to pursue a victim’s complaint, it may impose fines against the covered entity and force them to implement a set of standards to avoid future pitfalls of violating HIPAA. However, for the injured patient, i.e., the one who suffered because of the erroneous release of the private information, and the one who suffered damages in the form of invasion of privacy, mental anguish, lost income or job opportunities, etc. due to violation of their HIPAA rights, there has been little relief available in state court. This present a predicament as there is a harm without the corresponding available relief to a plaintiff who has suffered due to the negligence of a doctor or hospital.
This lack of a private cause of action seems inconsistent with the notions of fairness and justice. In other words, the one that is injured by the release of their medical records and information should be allowed to sue in Georgia state court for the damages caused by the medical provider who released the information. This type of cause of action would be similar to a medical malpractice lawsuit, but would sound in negligence and be based on the unlawful release of private information.
These cases are not brought under the HIPAA laws, but rather are brought in Georgia state court under traditional negligence theories with the negligence supported by an evidentiary showing that the medical provider was negligent by disclosing a patient’s private information and arguing that the medical provider is responsible for all damages caused by the HIPAA violation and must be held liable for damages. In this scenario, HIPAA provides an objective standard for examining a covered entity’s negligence in disclosing a person’s protected health information or “PHI.” While the lawsuit will not be brought under the applicable HIPAA laws, these laws will provide the plaintiff with the framework to bring these causes of action. If the plaintiff can prove HIPAA violations, that should support a finding of negligence against the medical provider in state court, even though the HIPAA laws are federal in nature. At least, that is the theory.