Bizarre Case Teaches Key HIPAA Lessons

Wednesday, August 05, 2009

The facts of a recent Minnesota lawsuit are so outlandish that they seem more appropriate for a tabloid cover or TV soap opera than a court opinion. After all, the old adage is that truth is sometimes stranger than fiction.

 

The case of Yath v. Fairview Clinics involved a patient who came to a clinic and was diagnosed with a sexually transmitted disease. She told the doctor that she had a new partner, even though she was still married at the time to her estranged husband. An employee at the clinic snooped into her records and disclosed this information to several others, including one person who displayed many of the details on a MySpace web page. Much of these disclosures were via the employer’s e-mail system. Ultimately, the patient and her soon-to-be ex-husband found out.

 

Understandably, the patient was upset when she learned what had happened. Her grandmother complained to the clinic, which conducted an investigation of the incident. The clinic had policies in place to prevent unauthorized access to medical records and had an audit log system to track access. The clinic easily verified that its employee blatantly violated its privacy rules and terminated her employment in accordance with its sanctions policy.

 

The patient sued the two individuals responsible for the privacy breach in state court under a state law prohibiting improper disclosure of medical records. The clinic argued that this law was preempted by HIPAA, which does not allow individuals to sue. Instead, HIPAA has a complaint-driven system that can result in penalties against covered entities. HIPAA preempts state laws that are “contrary” to HIPAA.

 

The trial court agreed with the clinic, but on appeal, this decision was reversed. The court of appeals observed that a state law is not contrary to HIPAA simply because it allows a private cause of action for an invasion of privacy related to medical records and HIPAA does not. In fact, the court saw that the two laws were more consistent than contradictory because their goals were essentially the same:  protecting the privacy of health care information. The main difference was the remedy. HIPAA allows for government enforcement against a covered entity and criminal enforcement against an individual, while the state law allows for damages in a civil lawsuit. Thus, the state law was not contrary to HIPAA.

 

This case is very instructive to employers with health plans, which are considered covered entities under HIPAA. First, HIPAA preemption is narrower than ERISA’s preemption of state laws. Only "contrary" state laws are preempted under HIPAA. We have seen similar claims proceed in other states.

 

Second, employers can be held responsible for the misconduct of their employees, even if they take preventive steps to maintain the privacy of PHI and have sufficient controls in place.

 

Third, the American Recovery and Reinvestment Act of 2009 (ARRA) ramped up many enforcement aspects of HIPAA. Under ARRA, an individual may actually share in any penalty that is issued against a covered entity. Most of these provisions go into effect in February 2010.

 

Manage your account

Employer/Client

» COBRA Login
» FSA/HRA Login
» NDT Login

Employee/Participant

» Continuation Coverage
» FSA/HRA Login
» HSA Login

Agents

» Agent Resource
Center Login
Our Company
Our Company
Company Information
Mission Statement
Letter from CEO
Community Involvement
Executive Team
Executive Team
Careers
Careers
Infinisource News / Events
Infinisource News / Events
News and Review
News and Review
News By Topic
BenefitsChallenge
News & Review Sign-up
RSS Sign-up
Benefit Resources
Benefit Resources
Benefit Laws, Regulations
Benefit White Papers
COBRA Case Law
COBRA Checklist
COBRA Quiz
Comparison
FSA Employee Calculator
FSA Employer Calculator
Glossary of Terms
Published Articles
Contact Us
Contact Us
Client Survey
Client Survey

Quick Links

» Product Overview

» News & Review

» Client Survey