- A New Mexico district court mostly denied a motion to dismiss a case alleging HIPAA violations last Friday, and the state Supreme Court will now consider HIPAA’s scope in relation to the case.
District Judge Judith C. Herrera denied some motions in part in the case of G.R. v. The United States of America et al. The New Mexico Supreme Court will decide whether the plaintiff’s negligence per se claim is precluded by the fact that there is no private cause of action under HIPAA regulations.
The plaintiff, G.R., was a victim of sexual assault and brought claims against her former employer, Gallup Indian Medical Center (GIMC), the US, HHS, and Indian Health Services for several damages, including Privacy Act violations and HIPAA violations.
“…the motion to dismiss will be denied in part with regard to Defendant’s motion to dismiss G.R.’s claims for negligence and negligence per se for failure to exhaust administrative remedies,” the District Court memorandum opinion and order stated. “The motion to dismiss also will be denied in part with regard to Defendant’s motion to dismiss G.R.’s claim for publication of private facts on the grounds that she has failed to state a claim.”
However, the District Court said that it will certify the potential HIPAA violations claim to the New Mexico Supreme Court.
G.R. was physically and sexually assaulted in 2012, and sought treatment at GIMC. The defendants and their employees reportedly “disclosed private details about Plaintiff’s assault and resulting injuries” to the plaintiff’s co-workers, according to the case.
“During the weeks following the assault, as a result of GIMC’s disclosures, many of Plaintiff’s co-workers came to know the private details pertaining to Plaintiff that related to the assault,” the memorandum explained. “This, in turn, caused G.R. further trauma and humiliation, and as a result she was unable to return to work for an additional period of two months beyond the one month she spent recovering from the assault.”
G.R. then left her job at GIMC and moved “to avoid further humiliation.”
“G.R. asserts claims for violation of the Privacy Act, 5 U.S.C. § 552a (Count I), intentional infliction of emotional distress (Count II), public disclosure of private facts (Count III), negligence (Count IV), and negligence per se (Count V),” stated the memorandum.
In terms of potential HIPAA violations, the plaintiff claims that HIPAA “prohibits knowing disclosures of individual health information under certain circumstances.”
Citing a previous case, the defendants maintain that “any HIPAA claim fails as HIPAA does not create a private right of action for alleged disclosures of confidential medical information.”
However, G.R. argues that the HIPAA violations establish that the employees “acted unreasonably” in publicly sharing PHI.
“The question of whether HIPAA regulations may be used as a legislatively imposed standard of care for purposes of establishing negligence per se in New Mexico is a potentially complex question of law,” the District Court wrote. “A few states other than New Mexico have examined this question, and generally they have decided against allowing the use of HIPAA in a claim for negligence per se.”
For example, Young v. Carran rejected the plaintiff’s claim of HIPAA as foundation for damages claim under state “negligence per se” statute. That court did acknowledge though that state case law permits federal statute use to inform standard of care in common-law negligence action.
Additionally, the District Court noted the Ohio case of Sheldon v. Kettering Health Network, which said that federal regulations “cannot be used as a basis for negligence per se under Ohio law.”
“This Court is uncertain whether the New Mexico Supreme Court would unconditionally bar a claim for negligence per se based on enactments that lack private rights of action; there are no reported New Mexico decisions to guide us,” the District Court concluded. “Thus, the Court is faced with an issue on which there is no controlling decision of the New Mexico Supreme Court, the New Mexico Court of Appeals, New Mexico constitution, or state statute.”
Therefore, the state Supreme Court must answer whether New Mexico recognizes “a claim for negligence per se based on an alleged violation of HIPAA, a federal statute, even though that statute does not allow a private right of action.”
As there is little existing precedent on such matters, the New Mexico Supreme Court decision could have a national impact on how alleged HIPAA violations may affect certain negligence claims.