- McAlester Regional Health Center (MRHC) in Oklahoma is being sued for an alleged HIPAA violation for sharing information on a boy’s drowning with his biological mother, reported the Pauls Valley Democrat newspaper on Aug. 23.
The lawsuit was filed by the adoptive parents of Keon James Stone (Russell), who was transported to MRHC on July 27, 2016, as a drowning victim, where he later died.
The law firm for Gerl and Denise Russell alleged that an employee at MRHC committed a HIPAA violation by notifying the child’s biological mother of his death. The lawsuit alleged that the biological mother had “consented to the termination of her rights.”
The lawsuit claimed that the HIPAA violation led to emotional distress during the funeral and related incidents.
“MRHC filed an answer to the petition claiming a letter dated July 17, 2017, from the Russells’ counsel asserted a claim for damages as a result of the alleged breach of health care information, which was denied on Oct. 15, 2017,” the newspaper explained.
MHRC agreed that HIPAA laws required it to keep the boy’s medical information private, but denied the allegation that it improperly shared information with the biological mother.
The hospital also claimed that the alleged damages were a result of a third party, and “there is no private right of action for a violation of HIPAA.”
Pittsburg County Associate District Judge Tim Mills ordered an amended scheduling in the case with a discovery deadline of October 15, dispositive motion deadline of November 1, pre-trial conference on December 5, and jury trial setting January 14, 2019.
In June, a federal court judge dismissed a lawsuit brought by Hope Lee-Thomas against LabCorp for an alleged HIPAA violation, ruling that there is no private right of action under HIPAA.
Hope Lee-Thomas had accused LabCorp of a HIPAA violation for not providing adequate privacy protections at its Providence Hospital computer intake station. Lee-Thomas argued that LabCorp failed to shield her PHI from public view at the station.
Lee-Thomas informed a LabCorp technician about the possible HIPAA violation and photographed the two stations. She sent a letter to Providence Hospital informing it about the possible HIPAA violation and then filed a complaint with HHS. She subsequently filed a complaint with the District of Columbia’s Office of Human Rights.
HHS responded that it would not pursue her claim. The DC government informed Lee-Thomas about her right to bring a private action before the DC Superior Court under the DC Human Rights Act. Lee-Thomas then filed a lawsuit with that court.
LabCorp succeeded in moving the lawsuit to the US District Court for the District of Columbia and filed a motion to dismiss the case. It argued that the plaintiff had “failed to state a claim because HIPAA does not provide for a private cause of action.”
US District Court Judge Rudolph Contreras ruled that the language of HIPAA “specifically limits enforcement action to HHS and individual states’ attorneys general.”
“Furthermore, courts in this and other circuits that have considered the question have reached a consensus that the statutory language of HIPAA grants no private right of action,” the judge wrote.
The law firm of Thompson Hine noted in a blog post that “an individual whose PHI has been used or disclosed by a health care provider in violation of HIPAA may not bring a civil claim against the health care provider under HIPAA.”
“Moreover, HIPAA specifically preempts any contrary provision of state law, meaning that a state law claim cannot be brought where a health care provider cannot comply with both the state and federal laws, or where the state law is an impediment to HIPAA’s objectives,” the law firm related.
However, some state court decisions have held that a HIPAA violation may form the basis for a state law negligence claim involving disclosure of PHI.
The firm cited a 2014 ruling by the Connecticut Supreme Court which held that breaches of PHI can expose healthcare providers to claims of negligence brought by individuals under state law.