I seem to have missed a lawsuit that may be of interest to readers. Back in September, Bordas & Bordas, PLLC wrote:
… What if our private information is released without our permission? What if it falls into the hands of someone who can actually cause us harm?
These aren’t abstract or hypothetical questions. The danger is real, and there’s a case before the West Virginia Supreme Court that shows us just how real it is R.K. vs. St. Mary’s Medical Center, Inc., No. 11-0924.
Consider these facts. R.K. was admitted to St. Mary’s Medical Center for a psychiatric illness. R.K. was also going through a divorce. During his hospitalization, employees of the hospital illegally accessed his private medical records. To add insult to injury, they proceeded to provide copies of the records to R.K.’s wife and divorce attorney. R.K. sued the hospital, alleging a wide variety of state-law claims.
Amazingly, the hospital managed to get the lawsuit dismissed by arguing that since HIPAA doesn’t provide for a private cause of action, there can be no state-level private cause of action for a privacy violation of this kind.
That’s just plain wrong, of course, and R.K. appealed the dismissal in September. Yesterday, Bordas & Bordas provided a welcome update:
You may remember that in R. K. vs. St. Mary’s Medical Center, Inc., 2012 WL 5834577, a hospital employee illegally accessed the plaintiff’s psychiatric records and then forwarded them to the plaintiff’s estranged wife and her divorce attorney. The plaintiff sued the hospital, claiming that state law provided a remedy for this scandalous behavior. The hospital asked the trial court to dismiss the case, arguing that HIPAA preempted any and all state laws relating to medical rights privacy. Because HIPAA itself didn’t provide a remedy the hospital was, in reality, asking for a free pass.
Thankfully, the West Virginia Supreme Court refused to accept the hospital’s bizarre argument. Even though HIPAA is meant to protect privacy rights, the hospital was twisting it to mean that HIPAA violations would go unpunished. This interpretation was rejected out of hand:
[S]tate common law claims for the wrongful disclosure of medical or personal health information are not inconsistent with HIPAA. Rather, …such state law claims complement HIPAA by enhancing the penalties for its violation and thereby encouraging HIPAA compliance. Accordingly, we now hold that common law tort claims based upon the wrongful disclosure of medical or personal health information are not preempted by the Health Insurance Portability and Accountability Act of 1996.
Here’s the court’s opinion of November 15 and Chief Justice Ketchum’s dissenting opinion.