Anthem Inc. (“Anthem”), the nation's second-largest health insurer, disclosed on Wednesday, February 4, 2015, that it was the victim of a major cyber-attack. According to Anthem, the attack exposed personal information of approximately 80 million individuals, including member names, member health ID and Social Security numbers, dates of birth, addresses, telephone numbers, email addresses and employment information. As of date of this publication, it has not yet been determined whether the hackers obtained access to health information.
The day after Anthem’s announcement, the first of several class action lawsuits against Anthem for the data breach was filed. Approximately 40 additional cases have since been filed against Anthem. The class actions allege harm due to the disclosure and compromise of the plaintiffs’ personal, health and financial information resulting from the Anthem data breach and Anthem’s purported failure to provide timely and accurate notice. Moreover, the class actions claim that Anthem did not encrypt the data that was stolen. Amongst other causes of action, the lawsuits have alleged claims for negligence, negligence per se, breach of implied contract, and violations of various state laws.
These lawsuits demonstrate that the healthcare industry should be concerned about the privacy and security of the personal, health and financial information in their possession for reasons beyond just the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d, et seq. (“HIPAA”). HIPAA does not provide for a private right of action. However, as explained in more detail below, several states have recently allowed plaintiffs to sidestep HIPAA’s prohibition of a private right of action. Courts have allowed plaintiffs to use HIPAA to set the standard of care in state law claims, including negligence, invasion of privacy and state privacy claims.
State’s Highest Court Permits Claims Premised On HIPAA’s Standard of Care
Several state courts have recently permitted private claims related to HIPAA to go forward over state law. Notably, the Connecticut Supreme Court recently held that HIPAA does not preempt common-law claims for negligence and negligent infliction of emotional distress against a health care provider. In Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 314 Conn. 433, 102 A.3d 32 (Conn. 2014), the court found that HIPAA may be considered in determining the standard of care governing the handling of medical records in connection with negligence claims under state law. Other courts have allowed similar claims. See, e.g., R. K. v. St. Mary’s Med. Ctr., Inc., 229 W. Va. 712, 718–21 (W. Va. 2012) (using HIPAA as standard of care for breach of medical confidentiality); Acosta v. Byrum, 180 N.C. App. 562, 568 (N.C. Ct. App. 2006) (acknowledging HIPAA as setting the standard of care); I.S. v. Washington Univ., 2011 U.S. Dist. LEXIS 66043, at *16 (E.D. Mo. June 14, 2011) (recognizing claim for negligence per se despite HIPAA). However, Byrne is the first by a state’s highest court.
In Byrne, defendant medical practice produced plaintiff’s medical records pursuant to a subpoena in the context of a paternity suit. The practice did not notify plaintiff of the disclosure despite her directions not to release the records. Byrne, 314 Conn. at 437. Plaintiff then filed a lawsuit alleging that the defendant medical practice: (1) breached its contract with plaintiff by violating its privacy policy and disclosing her protected health information (“PHI”) without authorization; (2) negligently failed to use proper and reasonable care in protecting her medical file; (3) negligently misrepresented that the privacy of her health information would be protected in accordance with law; and (4) engaged in conduct constituting negligent infliction of emotion distress. Id. at 438.
The Connecticut Supreme Court reversed the trial court’s dismissal of plaintiff’s tort claims by finding that state laws relating to the privacy of PHI, which are more stringent than HIPAA, are exempt from HIPAA preemption. State laws are only preempted if they are contrary to HIPAA by making it impossible to comply with both state and federal requirements or by posing as an obstacle in complying with HIPAA. Moreover, the court pointed to the regulatory intent...
