A little knowledge can be a dangerous thing, and this is definitely true when it comes to HIPAA. At Spruce, we sometimes hear from healthcare providers who think that they are exempt from HIPAA, but this is almost never fully accurate and it can be a costly regulatory mistake to make.
If you’re involved with healthcare in the United States and you believe that HIPAA doesn’t apply to you, you might want to reconsider that position. Read on to learn why and to make sure that you’re protected.
The Pitfall: Thinking That HIPAA Only Applies on the Federal Level
HIPAA is a federal law, and its resultant regulations are therefore developed and enforced by the federal Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR). This situation means that HIPAA has potential implications for everybody in the country, but as per HHS, the scope of the law is generally limited to “health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.”
We’ve spent time on this blog discussing the ins and outs of this scope limitation, including the specifics of which “electronic transactions” put you under the purview of HIPAA, and the government even provides a clickable flowchart to help you determine if the law might apply to you.
If you read all of this guidance, you could easily get the idea that HIPAA doesn’t hold any sway over many types of medical practices, such as those that don’t accept health insurance or those that use paper charts.
This, however, would be a huge mistake.
The Catch: HIPAA Can Be Used to Establish the Standard of Care in Non-HIPAA Lawsuits
This gets a little technical, but bear with me.
As we discussed, HIPAA is federal law and doesn’t apply directly to all medical practices. There are, however, many common state laws that patients and other parties can use to bring lawsuits against medical practices. Many of these fall under tort law, which is the branch of law that addresses civil wrongs that have caused damages, and it includes colloquially familiar entities like “negligence,” “invasion of privacy,” and “intentional infliction of emotional distress,” among many others.
While formal actions under HIPAA itself can only be pursued by state attorneys general or the Secretary of HHS, private individuals, such as patients, are free to file tort claims (primarily in state courts) without any direct governmental involvement. Let’s look at a “negligence” tort claim as an example.
If a patient brings a negligence claim against a medical practice, there are typically four elements that they must establish in order to be successful (this can vary by state, but it is a common framework):
- Duty: They must show that the medical practice owed them a duty of care
- Breach: They must show that this duty was not fulfilled
- Damages: They must demonstrate damages from the breach of duty
- Causation: The damages must have been reasonably foreseeable
So how can HIPAA factor into a negligence case? HIPAA has been used successfully to establish the “duty” element of negligence claims against medical organizations. For some years now, courts in many states have accepted HIPAA as the standard of care for the duties that healthcare providers owe to their patients, including the law’s provisions for security and privacy.1–4
Importantly, the success of these cases did not depend on the parts of HIPAA that determine who it applies to in its capacity as a federal law. In these negligence cases, it only mattered that there was a doctor–patient relationship; that fact alone was enough for the courts to decide that the practices owed their patients a duty of HIPAA compliance, at least for the purposes of tort law.5
That Is Confusing and Boring. Give Me the Summary!
First of all, rude: the law is fascinating. But, yes, it can be a little confusing or even daunting.
Here’s the take-home summary:
- Many courts in the United States will use HIPAA as the standard of care for medical privacy and security, even in cases that are not within the strict scope of the law.
- This means that healthcare organizations can lose lawsuits because of HIPAA, even when the law does not directly apply to them.
A Bonus Reminder About HIPAA Compliance and State Law
It’s also critical to remember that many states have passed their own medical privacy and security laws. In general, HIPAA provides a “floor” of privacy protection, meaning that states cannot have laws that are more lenient than HIPAA. They can, however, have laws that are more strict or far-reaching than HIPAA, and many do. They are also free to make their laws apply to all healthcare providers, rather than following the scope limitations that are present in HIPAA.
Understanding HIPAA is a good starting point, but it’s also important to be informed about any health privacy laws that your state has. Since these laws are guaranteed to be at least as strict as HIPAA, they end up functioning as a de facto mechanism to require HIPAA compliance, even from providers who might otherwise be exempt on a federal level.
And How Can I Be HIPAA Compliant?
We’ve got a HIPAA-compliance checklist to get you started and help make it easy! It’s not so bad; we promise. 🙂
This article is part of a series of posts relating to HIPAA law and regulation. The information provided is meant as general guidance only and is not intended to be legal advice.
- Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 2014 WL 5507439 (Conn. Nov. 11, 2014)
- Acosta v. Byrum, 638 S.E.2d 246, 249 (N.C. App. 2006).
- Sorensen v. Barbuto, 143 P.3d 295, 298 (Utah Ct. App. 2006) aff’d and remanded, 177 P.3d 614 (Utah 2008).
- Walgreen Co. v. Hinchy, 21 N.E. 99, 105 (Ind. Ct. App. 2014) on rehearing, 25 N.E.3d 748 (Ind. Ct. App. 2015).
- Koch, D. D., JD & RN. Is the HIPAA Security Rule Enough to Protect Electronic Personal Health Information (PHI) in the Cyber Age? J. Health Care Finance 43, (2016).