Law360 reports that Adventist Hospital System/Sunbelt Inc. succeeded in getting a federal court to dismiss a potential class action lawsuit against it. As noted previously on this blog, the lawsuit stemmed from employees at Florida Hospital Celebration selling patient information. Adventist had moved to dismiss Richard Faircloth’s lawsuit on grounds that the federal court lacked subject matter jurisdiction because HIPAA does not provide for a private cause of action.
In an order issued July 3, Judge Roy B. Dalton Jr. explains that the breach of contract and other claims raised by Faircloth do not arise under federal law:
These are simply state law claims for which the standard of care involves patient privacy, which happens to be regulated by HIPAA. “The privacy standards imposed by HIPAA are not uniquely federal and do not raise any issue of great federal interest.” K.V. Women’s Healthcare Network, No. 07-0228-CV-W-DW, 2007 WL 1655734, at *1 (W.D. Mo. June 6, 2007). Thus, the federal issue in this case is not substantial and finding federal question jurisdiction would disrupt the federal-state balance approved by Congress.
Dalton’s order was consistent with many other rulings that HIPAA does not provide a means for plaintiffs to sue providers in the federal courts and Faircloth’s lawsuit was dismissed without prejudice.
According to Edmund A. Normand, one of Faircloth’s attorneys, Faircloth has filed suit in Orange County Circuit Court in Orlando, Florida. In a statement to PHIprivacy.net, he notes that while there is a clear need for uniform federal privacy protections pursuant to HIPAA, certain federal courts see otherwise and prefer state by state applications of privacy protections. He writes:
“We hope that this case will provide an impetus for health care providers to implement security standards so that when a patient is treated at a hospital they can be sure that their private information will remain private, free from sale to data scavengers and others who want the data for reasons other than providing quality health care to patients.”
A few huge penalties from HHS for failure to adequately secure patient data wouldn’t hurt that cause, either.