Patient Privacy Court Cases

By Ellie Chapman

This monthly column is written by Ellie F. Chapman of Morgan, Lewis & Bockius LLP in San Francisco. It is designed to provide RPP readers with a sampling of the types of patient privacy cases that courts are now hearing. It is not intended to be a comprehensive monthly survey of all patient privacy court actions. Contact Ellie at ellie.chapman@morganlewis.com.

◆ Federal court affirms no individual right of action under HIPAA. On June 15, Judge Rudolph Contreras held that the Health Insurance Portability and Accountability Act (HIPAA) does not provide a private cause of action for individuals in Lee-Thomas v. LabCorp, Case No. 18-cv-00591. In an action against LabCorp, plaintiff Hope Lee-Thomas alleged that during a visit to Providence Hospital in Washington, D.C., her patient privacy rights under HIPAA were violated because her protected health information (PHI) was in plain sight of other individuals when she was instructed to input her medical information into a computer intake station. The federal judge rejected the claim, stating that although HIPAA provides both civil and criminal penalties for improperly handled or disclosed PHI, the statutory language clearly restricts enforcement to actions by the Department of Health and Human Services (HHS) and states’ attorneys general: “Courts in this and other circuits that have considered the question have reached a consensus that the statutory language of HIPAA grants no private right of action.” In June 2017, Lee-Thomas received treatment from LabCorp during a visit to Providence Hospital, where she noticed the proximity of other patients to the intake station where she was inputting her medical information. She photographed the stations and notified a LabCorp employee. Shortly after the hospital visit, Lee-Thomas sent a letter to Providence Hospital and a complaint to HHS describing the alleged HIPAA violations. She later filed another complaint with the District of Columbia Office of Human Rights (OHR), claiming that LabCorp’s alleged HIPAA violations constituted a failure to make “proper public accommodations” for patients. HHS dismissed Lee-Thomas’s complaint for failure to state a claim, and OHR proposed that she bring the claim in the Superior Court of the District of Columbia, which she proceeded to do. LabCorp removed the case to the U.S. Court of Appeals for the District of Columbia Circuit and moved to dismiss for failure to state a claim on the grounds that HIPAA does not provide a private right of action. Judge Contreras agreed with LabCorp and granted the motion to dismiss, citing HIPAA’s lack of private right of action. In addition, Lee-Thomas failed to respond to LabCorp’s motion to dismiss, which further “necessitate[d] dismissal of her case.” In a footnote to his opinion, Judge Contreras noted that OHR’s suggestion that Lee-Thomas lodge a civil suit referred “solely to a claim pursuant to the D.C. Human Rights Act, which plaintiff does not raise here.” Although Judge Contreras’s opinion makes it clear that individuals cannot bring a case based exclusively on violations of HIPAA, claims related to privacy of health information may still be viable under state privacy laws.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings