Defending Claims for Violations of Patient Privacy
State and federal laws regarding patient privacy have added complexity to personal injury and medical negligence claims. Additionally, plaintiffs are using these laws to serve as a basis for liability in its own right. Given that Wisconsin’s laws protecting patient records come with fee shifting provisions,[i] it should come as no surprise that plaintiffs and their counsel continue to look for ways to include claims for violation of privacy laws wherever possible. This article will outline the state and federal requirements for protecting health information, the limitations of those laws, and information to consider in defending claims based on alleged violation of these laws.
I. Federal and State Law
In 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) to improve portability and continuity of health insurance coverage, to combat waste, fraud, and abuse in health insurance and health care delivery, and to simplify the administration of health insurance.[ii] To this end, the Department of Health and Human Services (HHS) was to provide Congress with recommendations of standards for ensuring the privacy of protected health information (PHI).[iii] The “Privacy Rule” took effect on April 14, 2003.[iv] The Privacy Rule specifies the circumstances under which health care providers and other entities may disclose PHI.[v]
The Privacy Rule governs the disclosure of PHI in the possession of a “covered entity,” which includes “health care providers,” “health plans,” and “health care clearinghouses.”[vi] PHI is defined as “individually identifiable health information” that is transmitted by electronic media, maintained in any medium described in the definition of electronic media, or transmitted or maintained in any other form or medium, including orally.[vii] In general, a patient’s PHI can be disclosed by the covered entity to the individual patient, to other providers and insurance companies for treatment or payment, and pursuant to the patient’s written authorization.[viii]
In 2009, Congress expanded application of the Privacy Rule in the “Health Information Technology for Economic and Clinical Health Act” (HITECH).[ix] HITECH was intended to improve the nation’s health care through health information technology. The expanded use of health information technology raised privacy and security concerns, so HITECH added and strengthened provisions on how individually identifiable health information must be handled. Significantly, HITECH expanded the application of portions of the Privacy Rule directly to “business associates” and the subcontractors of “business associates” of HIPAA-covered entities.[x] Business associates are entities that perform functions on behalf of, or provide certain services to, covered entities.[xi] This includes law firms, accountants, and management services. HITECH authorizes direct civil and criminal enforcement against business associates.[xii]
Wisconsin’s law on the confidentiality of patient health care records is found at Wis. Stat. § 146.82. It mandates that all patient health care records shall remain confidential. It applies to “any person,” as opposed to HIPAA’s limited application to “covered entities” and “business associates.”[xiii]
Section 146.82 sets forth circumstances in which records may be released with and without the informed consent of the patient.[xiv] “Patient health care records” means all records related to the health of a patient prepared by or under the supervision of a health care provider.[xv] Informed consent means “written consent to the disclosure of information from patient health care records to an individual, agency or organization.”[xvi]
The Privacy Rule interacts with state law by preempting any provision of state law that is contrary to any portion of the Privacy Rule, unless the state law provision that relates to the privacy of individually identifiable health information is more stringent than the Privacy Rule provision.[xvii] Essentially, HIPAA is the floor for privacy protection.
A state law is “contrary” to the Privacy Rule if a health care provider would find it impossible to comply with both the state and federal requirements.[xviii] A state law is “more stringent” than the Privacy Rule if it prohibits or restricts disclosure when it would be permitted under the Privacy Rule or provides greater privacy protection for the individual.[xix] For example, Wis. Stat. §§ 146.82(2)(a)4 and 51.30(4)(b)4 allow disclosure of patient records in judicial proceedings without informed consent only in response to a court order. HIPAA would allow such disclosures in response to a court order, subpoena, and certain discovery requests.[xx] Because the state law is more stringent than HIPAA, state law prevails.
II. Defenses to Claims for Violation of Patient Privacy Laws
HIPAA and Wis. Stat. § 146.82 are limited in their enforcement, application, scope, and remedies. Each of these limitations provides important defenses to claims for violations of privacy laws.
A. Limitations on Enforcement
HIPAA limits enforcement to the Secretary of Health and Human Services.[xxi] It does not provide for a private cause of action.[xxii] A claim by any other person or entity that a defendant violated HIPAA should be promptly addressed by way of a motion to dismiss.
While HIPAA does not provide a private cause of action, plaintiffs sometimes attempt to use the Privacy Rule as the foundation for a negligence claim. However, there is not yet a lot of case law on this topic.
In the North Carolina case of Acosta v. Byrum, plaintiff alleged that her psychiatrist breached his duty to maintain privacy in her confidential medical records, and that HIPAA provided evidence of the standard of care in her tort claim.[xxiii] The court held that plaintiff’s claim should not have been dismissed at the motion to dismiss stage simply because HIPAA did not provide a private cause of action.[xxiv] HIPAA was inapplicable to plaintiff’s claims beyond providing evidence of the duty of care her psychiatrist owed.[xxv] The case was remanded back to the trial court.
The North Carolina appellate court permitted the plaintiff to attempt to use HIPAA as evidence of the standard of care owed by her psychiatrist, similar to a plaintiff’s use of a policy or procedure as evidence of the standard of care. Whether the same result would be reached in Wisconsin is still an open question. As a result, defendants should argue that, in addition to the typical arguments to keep out a policy or procedure, HIPAA cannot be used as evidence of the standard of care when the law itself prohibits a private cause of action. Importantly, Acosta v. Byrum merely determined that the plaintiff’s claim was sufficiently pled, not that HIPAA actually established the standard of care.[xxvi]
In Cain v. Mitchell, a Missouri federal district court expressly held that a violation of HIPAA does not give rise to a private cause of action, because “private rights of action to enforce federal law must be created by Congress,” and HIPAA does not provide for a private right of action.[xxvii] The Seventh Circuit and Supreme Court of Wisconsin, although they have not yet directly addressed HIPAA, are likely to reach the same result given their prior decisions in analogous circumstances.[xxviii]
If plaintiffs could use HIPAA to establish the standard of care for a negligence claim, the fact that Congress chose not to provide a private cause of action would be absolutely meaningless. This would lead to an absurd result. Wisconsin has already rejected attempts by plaintiffs to raise the standard of care based on federal laws never intended for that purpose.[xxix]
Nevertheless, if plaintiffs are permitted to use HIPAA as evidence of the standard of care, the defense must be prepared to identify the limited application and scope of the privacy laws, as well as their exceptions.
B. Limitations on Application of the Privacy Laws
While Wis. Stat. § 146.82 applies to “any person,” HIPAA only applies to health plans, health care providers, health care clearinghouses, and their business associates.[xxx] In State v. Straehler, a 2008 Court of Appeals decision, Straehler sought to suppress the results of a chemical intoxication test because the police violated HIPAA when obtaining probable cause for a blood draw.[xxxi] The court rejected this contention because HIPAA did not apply to police officers.[xxxii] There was judicial agreement that the legislature did not intend HIPAA to apply to non-covered entities, and law enforcement was expressly excluded from covered entities in the legislative history.[xxxiii]
Section 146.82 is limited to records related to the health of the patient prepared by or under the supervision of a “health care provider.” “Health care provider” is defined in Wis. Stat. § 146.81(1) and includes numerous health care professionals and facilities licensed or certified by statute. It also includes a partnership of any of the providers that provide health care services.[xxxiv]
In Hart v. Bennet, a 2003 Court of Appeals decision, Hart was dismissed from the UW-Lacrosse Physician’s Assistant program after he was criminally charged for abusing his girlfriend.[xxxv] Hart entered the Men’s Abuse Program at the Family & Children’s Center, and appealed his dismissal.[xxxvi] Bennet, the coordinator of the abuse program, wrote a letter to the district attorney, and copied the University, indicating that Hart had not been honest with him and needed to continue in the program.[xxxvii] The University determined Hart had been given due process and maintained his dismissal from the program.[xxxviii]
Hart filed a lawsuit against Bennet, claiming the letter violated Wis. Stat. § 146.82. The claim was dismissed at the trial court level because Bennet was not a health care provider, nor was he under the supervision of a health care provider.[xxxix] On appeal, Hart argued that Bennet was under the supervision of a health care provider because the Family & Children’s Center, as a corporation that employed licensed psychiatrists and psychologists, was a health provider as defined by § 146.81(1)(j).[xl] The Court of Appeals affirmed because, while the Center was a corporation that employed licensed psychiatrists and psychologists, none of them were employed in the Men’s Abuse Program and Bennet was not supervised by a licensed psychiatrist or psychologist.[xli] Accordingly, a record under § 146.82 must be prepared by, or directly under the supervision of, a health care provider.
C. Limitations in the Scope of the Privacy Laws
A commonly misunderstood area of the privacy laws pertains to sharing a patient’s health information with the patient’s family and friends. HIPAA allows a use or disclosure of PHI without written authorization to family members or others involved in the patient’s care, when an “informal agreement” has been obtained.[xlii] An informal agreement consists of notice and an opportunity to object.[xliii] It may be obtained orally.[xliv] This exception to written authorization recognizes that involving family and friends in a patient’s care is useful and often necessary.
Wisconsin’s patient confidentiality statute, on the other hand, does not recognize oral authorization or agreement for the release of patient health care records. Because the Wisconsin law is more stringent, it prevails. This law was traditionally understood to prohibit the common practice of discussing a patient’s condition, treatment, and outlook with the patient’s spouse, children, or other family members or friends without the patient’s written authorization.
However, Wis. Stat. § 146.82 is limited to the release of documents. It does not apply to oral discussions with family members. In State v. Thompson, a 1998 Court of Appeals decision, plaintiff argued that § 146.82 gave him the right to exclude from the operating room during his surgery a police officer who took possession of cocaine removed from his small intestine.[xlv] Plaintiff contended that § 146.82 should restrict access to medical procedures, and limiting the application of § 146.82 to medical records would produce an absurd result, because the police officer could observe the surgery but be prohibited from reading the record for that surgery.[xlvi] The court disagreed, and held that the plain language of § 146.82 limited its application to records.[xlvii]
In Straehler, discussed above, Nurse Hagerman informed a police officer that she smelled alcohol coming from defendant Straehler, and that Straehler had told the hospital she had consumed alcohol prior to the accident.[xlviii] Straehler argued that without the disclosure of her medical information, the police officer did not have probable cause for a blood draw.[xlix] Straehler sought to suppress the evidence, contending the release of her confidential health information by the nurse violated Wis. Stat. § 146.82 and HIPAA.[l] The court held the nurse’s verbal statements based on her observations were not records protected under § 146.82.[li]
In sum, Wis. Stat. § 146.82 does not reach beyond medical records. An informal agreement can be obtained to share medical information with family and friends without written authorization.
D. Exceptions to the Privacy Laws
Both HIPAA and Wisconsin law contain multiple exceptions to obtaining a patient’s written authorization for public benefit activities. These exceptions must be allowed both by HIPAA and Wis. Stat. § 146.82, and include the following:
- When the patient or their representative is incapacitated and the health care provider determines, in the exercise of professional judgment, that the release is in the best interest of the individual;[lii]
- Disclosure/release among health care providers to facilitate treatment of the patient;[liii]
- Disclosure/release for health care operations;[liv]
- Reports of child abuse or neglect;[lv]
- Disclosure/release necessary for billing, collection, or payment of claims;[lvi]
- Disclosures/releases required by court order;[lvii]
- Disclosure/release to a federal or state agency to perform legally authorized functions;[lviii]
- Disclosure/release to facilitate organ donation;[lix] and
- Disclosure/release to a coroner or medical examiner.[lx]
E. Other Defenses
Other portions of the Wisconsin Statutes may permit a good faith defense, if a record is disclosed in certain limited circumstances. For example, Wis. Stat. § 255.40 requires certain medical providers to report wounds if there is reasonable cause to believe the wound occurred as a result of a crime. While this scenario is excepted from the requirements of Wis. Stat. § 146.82,[lxi] a dispute may arise regarding what is considered a “wound.”
This issue recently arose in a case where a physician reported an alleged rape to local authorities after her patient told her she had been raped and the patient’s physical examination contained abrasions consistent with forced intercourse. The plaintiff agreed to talk with law enforcement about the alleged rape, which led to a rape investigation. Plaintiff was later charged with obstruction of justice because the rape accusation was false. This violated a condition of her parole, and she was jailed. After plaintiff was released, she sued her physician for contacting authorities about the rape. While the issue of what is a “wound” was not litigated, an additional defense was found in Wis. Stat. § 255.40(3), which allowed for civil and criminal immunity for any person who reported information under § 255.40 in “good faith.”
The damages for violating Wis. Stat. § 146.82 go beyond those of an ordinary tort claim. If a person violates § 146.82 in a manner that is “knowing and willful,” they are liable to any person injured as a result of the violation for actual damages, exemplary damages of not more than $25,000, costs, and reasonable actual attorney fees.[lxii] A person who negligently violates the statute is liable to any person injured as a result of the violation for actual damages, exemplary damages of not more than $1,000, costs, and reasonable actual attorney fees.[lxiii] Section 146.82 also allows for criminal penalties. However, the “are liable” language does not support strict liability. Actual damages are a prerequisite to recovery for violations of § 146.82 in order to prevent frivolous or nuisance litigation.[lxiv] That is, there is no right to exemplary damages unless actual damages are proven.[lxv]
Maintaining patient privacy has become increasing complex since the passage and expansion of the Privacy Rule. At the same time, Wisconsin law has increased the available remedies for violations of patient privacy. As plaintiffs and their attorneys become more familiar with the Privacy Rule, claims based on HIPAA and Wisconsin’s patient confidentiality statute will likely increase. At the same time, the significant limitations and exceptions to the privacy laws will provide numerous ways to defend these claims.
[i] The attorney fees provisions were added in 1999.
[ii] Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (1996), codified at 42 U.S.C. §§ 1320d-1320d-8.
[iv] 45 C.F.R. § 164.534.
[v] See 45 C.F.R. §§ 160-64.
[vi] Id. § 160.103.
[vii] Id. § 164.501.
[viii] Id. § 164.502(a)(1).
[ix] HITECH is a party of the American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5, 123 Stat. 115 (2009), codified at 42 U.S.C. § 17930, et seq.
[x] Under HIPAA, a covered entity was responsible for ensuring the compliance of its business associates. HITECH expanded the definition of “business associate” and made them directly responsible for complying with portions of HIPAA. See 45 C.F.R. § 160.103.
[xi] See id.
[xii] 42 U.S.C. § 1320-d-5, 6.
[xiii] See Kniess v. Lueder, No. 2010AP1373, 2011 Wis. App. LEXIS 724 (Wis. Ct. App. Sept. 8, 2011) (unpublished opinion).
[xiv] Wis. Stat. § 146.82(1)-(2).
[xv] Wis. Stat. § 146.81(4).
[xvi] Wis. Stat. § 146.81(2).
[xvii] 45 C.F.R. § 160.203(b).
[xviii] Id. § 160.202.
[xix] Id. § 160.202.
[xx] 45 C.F.R. § 164.512(e).
[xxi] State attorneys general may also bring a civil action to enjoin further violation of HIPAA, and to obtain damages. See 42 U.S.C. § 1320d-5(d).
[xxii] See Acara v. Banks, 470 F.3d 569 (5th Cir. 2006); Johnson v. Quander, 370 F. Supp. 2d 79 (D. Colo. 2005); Roberts v. Unitrin Specialty Lines Ins. Co., 405 Fed. Appx. 874 (5th Cir. 2010); United States v. Lane, 65 M.J. 481 (C.A.A.F. 2007).
[xxiii] 638 S.E.2d 246, 250-51, 253 (N.C. App. 2006).
[xxiv] Id. at 250.
[xxv] Id. at 253.
[xxvi] See id. at 251.
[xxvii] No. 06-897-CV-W-FJG, 2007 WL 4287866 (W.D. Mo. Dec. 6, 2007) (unpublished decision).
[xxviii] See Miller Aviation v. Milw. Co. Bd. of Supervisors, 273 F.3d 722, 728-29 (7th Cir. 2001) (citing Grube v. Daun, 210 Wis. 2d 681, 689, 563 N.W.2d 523 (1997)) ("[T]he general rule is that a statute which does not purport to establish a civil liability, but merely makes provision to secure the safety or welfare of the public as an entity, is not subject to a construction establishing a civil liability.”); see alsoDirsch Energies, Inc. v. Shell Oil Co., 314 F.3d 846, 857 (7th Cir. 2002) (“A private right of action to enforce federal law must be created by Congress…. Without it, a cause of action does not exist and courts may not create one, no matter how desirable that might be as a policy matter, or how compatible with the statute.”)
[xxix] See State v. Raymond C. (In re Torrance P. and Mallory P.), 187 Wis. 2d 10, 15-16, 522 N.W.2d 243 (Ct. App. 1994) (refusing to consider alleged violations of the ADA to raise the standard of care in termination of parental rights hearings).
[xxx] 45 C.F.R. § 160.103.
[xxxi] 2008 WI App 14, ¶ 9, 307 Wis. 2d 360, 745 N.W.2d 431.
[xxxii] See id., ¶ 10.
[xxxiii] See id., ¶¶ 11-12.
[xxxiv] Wis. Stat. § 146.81(1)(i)-(j).
[xxxv] 2003 WI App 231, ¶ 3, 267 Wis. 2d 919, 672 N.W.2d 306.
[xxxvi] See id.
[xxxvii] See id., ¶ 4.
[xxxviii] See id., ¶ 5.
[xxxix] Whether the letter was a “record related to the health of the patient” was not litigated.
[xl] See id., ¶ 14.
[xli] See id., ¶ 15.
[xlii] 45 C.F.R. § 164.510.
[xliii] See id.
[xliv] See id.
[xlv] 222 Wis. 2d 179, 188, 585 N.W.2d 905 (Ct. App. 1998).
[xlvi] Id. at 189.
[xlviii] 2008 WI App 14, ¶ 3, 307 Wis. 2d 360, 745 N.W.2d 431.
[xlix] Id., ¶ 8.
[l] Id., ¶ 9.
[li] Id., ¶ 20. The court observed that it could not determine from the record if the information disclosed by the nurse ultimately ended up in Straehler’s patient health care records. Id. This observation suggests that the court’s analysis may have been different if the nurse had only learned that Straehler smelled of alcohol and that Straehler had told the hospital she consumed alcohol by reading it in Straehler’s records.
[lii] See 45 C.F.R. § 164.512(c)(1)(iii)(B), (f)(3)(iii)(C); Wis. Stat. § 146.82(4)(b).
[liii] See 45 C.F.R. § 164.506; Wis. Stat. § 146.82(2)(a)2.
[liv] See 45 C.F.R. § 164.506; Wis. Stat. § 146.82(2)(a)1.
[lv] See 45 C.F.R. § 164.512(b)(ii); Wis. Stat. § 146.82(2)(a)10.
[lvi] See 45 C.F.R. § 164.506; Wis. Stat. § 146.82(2)(a)3.
[lvii] 45 C.F.R. § 164.512(e); Wis. Stat. § 146.82(2)(a)4.
[lviii] 45 C.F.R. § 164.512(a),(b),(d); Wis. Stat. § 146.82(2)(a)5.
[lix] 45 C.F.R. § 164.512(h); Wis. Stat. § 146.82(2)(a)19.
[lx] 45 C.F.R. § 164.512(g); Wis. Stat. § 146.82(2)(a)18.
[lxi] See Wis. Stat. § 146.82(1).
[lxii] Wis. Stat. § 146.84(1)(b). In 1999, the legislature amended the statute to increase the limit on exemplary damages from $1000 to $25,000 and to permit reimbursement of attorney fees.
[lxiii] Wis. Stat. § 146.82(1)(bm). Remedies for a negligent violation of the statute were added to the statute in 1999.
[lxiv] See Ortiz v. Aurora Health Care, Inc., 430 B.R. 523, 534 (E.D. Wis. Bankr. 2010).
[lxv] See id.; see also Hannigan v. Sunby Pharmacy, 224 Wis. 2d 910, 924, 593 N.W.2d 52 (Ct. App. 1999) (holding that the statute does not impose strict liability).