HIPAA as Standard of Care

By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure#HCdeJure

A March 2021 decision by the Arizona Supreme Court recognized that obligations and requirements under the Health Insurance Portability and Accountability Act (HIPAA) can be the standard of care underpinning a claim of negligence. The Arizona decision is only the most recent in a line of similar decisions by various states. However, what does it mean for HIPAA to act as the standard of care? Breaking that concept apart is important in understanding that the approach does not mean new rights are being created by states under HIPAA.

Negligence and Standard of Care
Under common law (which is the body of law created through court decisions and custom), negligence is defined as failing to behave with a level of care that an ordinary person would have exercised and the failure to act in that way caused someone to suffer harm. Typically four elements must be established to prove negligence: (i) the existence of a legal duty, (ii) one person’s breach of the legal duty, (iii) another person suffered an injury, and (iv) the first person’s breach of the legal duty caused the other person’s injury.

The first element, the existence of a legal duty, connects to the standard of care. The legal duty looks to a standard of care in order to establish the baseline of how a reasonably prudent person would act under the circumstances. To put it in a slightly more legal framework, a standard of care is then defined as the degree of care that a reasonable person is expected to exercise in a particular set of circumstances and failure to act at least in accordance with the standard of care can create potential liability for negligence.

HIPAA Marching In
If the standard of care is meant to establish the baseline for expected conduct by individuals, then at times it can become necessary to look around and see how the standard can be constructed. When it comes to privacy of healthcare information and claims for alleged violations of that privacy, relying upon older visions of privacy may not be sufficient. Healthcare information is often viewed as requiring a special degree of privacy protection due to the heightened sensitivity around the intimate information that could be contained. Basic privacy principles may not set high enough or clear enough standards. That is where HIPAA can become appealing.

HIPAA details a number of requirements when it comes to protecting, using, disclosing, and otherwise interacting with healthcare information. HIPAA is clear on many circumstances of how healthcare information can be shared with others. The expectations are further enhanced with the requirement to implement policies and procedures for companies and workforce members to follow when it comes to using and disclosing information. The combination of all of those factors create an appealing foundation to build a standard of care on. The appeal is driven by being able to reference regulatory requirements that arguably create a clear line in the sand around what a reasonable person would do. The reasonableness can be perceived because not following HIPAA requirements can result in potential regulatory enforcement consequences.

Does this Create a HIPAA Private Right of Action?
If HIPAA is used as the standard of care for negligence by states, parties opposing the standard try to assert that the move results in the creation of a private right of action under HIPAA. The argument is a bit of a red herring though because the whole discussion is actually focused on state law. The negligence claim, as already explained, is premised upon common law. Common law does not restrict what sources can be used in established the standard of care. While case law is certainly a big component of determining the standard, the role of custom cannot be overlooked. Custom can arise from how people usually interact, but those interactions can be guided by other laws and statutes.

When a state references a federal or other law like HIPAA, the state is not trying to create a new right under the other law. Instead, the state is attempting to build out and better define its own legal standards. That is true when it comes to adopting or referencing HIPAA as a standard of care for a state level claim of negligence. Just because another law is referenced, it does not mean that the adopting state is trying to create new rights under the referenced law. Instead, it means that each state referencing HIPAA is enabling a claim to arise from state law, not somehow creating a new right under HIPAA or another law.

No Guarantees
A key point to remember about using HIPAA as a standard of care for negligence claims is that it does not guarantee success in the case. Many (if not all) of the reported cases where HIPAA is allowed as a standard of care are doing only that. Namely, enabling the use of HIPAA as a standard of care. From that point, it is still necessary to prove in a trial court, whether through motion practice or more likely in a trial, that the standards brought in by reference to HIPAA were actually violated. Proving that part is not necessarily going to happen. Even if it is established that a standard of care is violated, it is also still necessary to prove that harm or damages were suffered. It is a good reminder that claims are just allegations and getting through all of the layers takes the combination of a number of elements coming together.

Final Impact
The final impact of using HIPAA as a standard of care could just be a further emphasis of the importance of complying with all of HIPAA’s requirements. Even though no guarantees exist of a claim actually being proven, it does heighten the risks for entities, which means paying attention to all of the details.

This article was originally published on The Pulse blog and is republished here with permission.