HIPPA and Compliance and Vicarious Liability HIPPA and Compliance and Vicarious Liability

HIPPA Compliance and Vicarious Liability

Rachel V. Rose, JD, MBA

This auditing and compliance “Tip of the Week” was originally published by the
National Alliance for Medical Auditing Specialists (NAMAS), a division of DoctorsManagement.

Let’s stroll back in time for a moment. The date is April 20, 2005. It is the date that covered entities under the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191 (Aug. 1996) (“HIPAA”) were required to comply with the Security Rule.[1] Enforcement by the United States Department of Health and Human Services – Office for Civil Rights (“OCR”) began on July 29, 2009, approximately six months after the Health Information and Technology for Economic and Clinical Health Act (“HITECH Act”), which was part of the American Recovery and Reinvestment Act of 2009, Pub. L. 111-5 (Feb. 17, 2009). The HITECH Act ushered in increased penalties, express liability for covered entities, business associates and subcontractors, and the adoption of health information technology. The Final Omnibus Rule, 78 Fed. Reg. 5566 (Jan. 25, 2013), finalized a number of requirements under HIPAA and the HITECH Act.

One area that has garnered increased interest is the provision of HIPAA that does not confer a private right of action upon individuals. 42 U.S.C. § 1320(d). According to the United States Court of Appeals for the Fifth Circuit, HIPAA does not contain any express language conferring privacy rights upon a specific class of individuals. Instead, it focuses on regulating persons that have access to individually identifiable medical information and who conduct certain electronic health care transactions. … Because HIPAA specifically delegates enforcement, there is a strong indication that Congress intended to preclude private enforcement.[2]

This premise still holds true; however, just because HIPAA does not have a private right of action, it does not mean that an aggrieved person is without legal options. Often times, HIPAA is used as the basis of a negligence case. Negligence is a common law tort claim. In order to prevail, a plaintiff needs to satisfy four (some say five) main elements: duty, breach, causation (both actual and proximate) and damages.[3]

Recently, the Virginia Supreme Court revived a vicarious liability claim[4] based on HIPAA violations against a medical clinic where employees improperly accessed disclosed a patient’s diagnosis. In Lindsey Parker v. Carilion Clinic, et al., No. 170132 (Va. Nov. 3, 2018),[5] Ms. Parker was diagnosed with a condition by a gynecology group. She subsequently visited her primary care physician for diagnosis and treatment on an unrelated item. Carilion owned both entities. While at her primary care physician’s office, Ms. Parker spoke with an acquaintance in the waiting room. One of the employees also knew the acquaintance. The employee, who was not part of the care team, accessed Ms. Parker’s medical information and disclosed it to a friend, who subsequently accessed the information. In turn, the medical information was disclosed to the acquaintance.

The Virginia Supreme Court cited Fairfax Hospital v. Curtis, 254 Va. 437, 442, 492 S.E. 642 (1997) for the proposition that “absent a statute to the contrary of a risk of serious danger to the patient or others, a healthcare provider ‘owes a duty to the patient not to disclose information gained from the patient during the course of treatment without the patient’s authorization.'” Importantly, the court distinguished between the vicarious liability claims and the negligence claim related to HIPAA. The ultimate outcome of the Virginia Supreme Court’s opinion was “[n]one of our precedents has ever imposed a tort duty on a health care provider to manage its confidential information systems so as to deter employees from willfully gaining unauthorized access to confidential medical information.” But this is a trap and one where people should take notice. Other state and federal courts have upheld unequivocally that HIPAA can form the basis of a negligence case. In Barber v. Camden Clark Memorial Hospital, No. 17-0643 (W.Va. May 31, 2018) the West Virginia Supreme Court repeated its holding in R.K. v. St. Mary’s Med. Ctr., Inc., 229 W.Va. 712, 735 S.E.2d 715 (2012) that HIPAA could form the basis of a negligence case.[6] It should also be noted that the Virginia Supreme Court specified oversight of information systems. In sum, a different court, a different legal argument or a different set of facts could have rendered a different outcome.

[1] U.S. Department of Health and Human Services, HIPAA Enforcement, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html.

[2] Margaret A. Acara v. Bradley C. Banks, M.D., No. 06-30356 (5th Cir., Nov. 13, 2006), http://www.ca5.uscourts.gov/opinions%5Cpub%5C06/06-30356-CV0.wpd.pdf.

[3] David G. Owen, The Five Elements of Negligence, Hofstra Law Review (2007), https://scholarlycommons.law.hofstra.edu/cgi/viewcontent.cgi?article=2282&context=hlr.

[4] Black’s Law Dictionary, Vicarious Liability – obligation arising from a parties relationship with each other, https://thelawdictionary.org/vicarious-liability.

[5] See, https://cases.justia.com/virginia/supreme-court/2018-170132.pdf?ts=1541077693.

[6] See, https://law.justia.com/cases/west-virginia/supreme-court/2018/17-0643.html.

What to do next…

  1. Contact us to discuss your audit needs by calling (800) 635-4040 or email info@drsmgmt.com.
  2. Read more: What can you expect from a coding and compliance review?
Here’s why thousands of providers trust DoctorsManagement to help improve their coding and documentation.

Quality of coders and auditors. Our US-based auditors receive ongoing training and support from our education division, NAMAS (National Alliance of Medical Auditing Specialists). All team members possess over 15 years of experience and hold both the Certified Professional Coder (CPC®) as well as the Certified Professional Medical Auditor (CPMA®) credential.

Proprietary risk-assessment technology – our auditing team uses ComplianceRiskAnalyzer(CRA)®, a sophisticated analytics solution that assesses critical risk areas. It enables our auditors to precisely select encounters that pose the greatest risk of triggering an audit so that they can be reviewed and the risk can be mitigated.

Synergy – DoctorsManagement is a full-service healthcare consultancy firm. The many departments within our firm work together to help clients rise above the complexities faced by today’s healthcare professionals. As a result, you receive quality solutions from a team of individuals who are current on every aspect of the business of medicine.