As long predicted, even if health care practitioners argue that HIPAA privacy rules do not apply to their health care practices, courts enforcing state privacy laws will rely upon HIPAA privacy rules as the “standard of care” to measure satisfaction of the state obligation. For example, Washington State health information privacy laws require all health care practitioners to “effect reasonable safeguards for the security of all health care information it maintains.” The Washington law does not describe what “reasonable safeguards” look like; but, HIPAA does.
Last month, the Connecticut Supreme Court declared that a patient could use the HIPAA privacy rules to establish the “standard of care” for a negligence action against a doctor who violated the patient’s privacy rights. According to the Court:
…HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena. The availability of such private rights of action in state courts, to the extent that they exist as a matter of state law, do not preclude, conflict with, or complicate health care providers’ compliance with HIPAA. On the contrary, negligence claims in state courts support ‘‘at least one of HIPAA’s goals by establishing another disincentive to wrongfully disclose a patient’s health care record.’’ [EMILY BYRNE v. AVERY CENTER FOR OBSTETRICS AND GYNECOLOGY, P.C. Connecticut Supreme Court November 11, 2014 (SC 18904)]
For health care practitioners who spend more time arguing why they do not need to comply with HIPAA rules like “risk assessments,” than they do actually working to protect patient privacy – good luck. We’ll see you in court.