North Carolina appeals court allows new use of HIPAA in lawsuit

The patient sued the physician for negligence to get around a federal ruling against direct HIPAA privacy lawsuits.

By — Posted March 12, 2007

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

A North Carolina appeals court ruling suggests an alternate route patients may take to sue physicians for HIPAA violations, in spite of a 2006 federal decision that essentially closed the door on lawsuits brought directly under the privacy statute, experts warn.

The plaintiff in the case, Heather D. Acosta, was an employee and a patient at a psychiatric clinic, according to court records. She sued the clinic's owner, David R. Faber II, MD, in May 2005 for giving his medical records access password to an office manager. That person later disclosed Acosta's confidential information to a third party without her consent.

But rather than filing suit against Dr. Faber directly under HIPAA, Acosta sued him for negligence for giving the password to unauthorized personnel. The lawsuit accuses Dr. Faber of breaching his duty under the privacy regulations established under HIPAA and the rules adopted at the hospital system where the medical records are stored. Acosta alleges that he should have known that his negligence would cause her emotional distress.

A trial court dismissed the lawsuit, saying HIPAA did not create a private right of action. But the North Carolina Court of Appeals in December 2006 reversed that ruling. The appeals court said the patient was not making her claim under HIPAA; rather, she was using the privacy statute to establish the standard of care that Dr. Faber should have followed.

"Plaintiff cites to HIPAA as evidence of the appropriate standard of care, a necessary element of negligence," the opinion states. "Since plaintiff made no HIPAA claim, HIPAA is inapplicable beyond providing evidence of the duty of care owed by Dr. Faber with regards to the privacy of plaintiff's medical records." The court allowed the lawsuit to go forward. No trial date has been set.

Starting a new trend?

Legal experts could not immediately recall any similar rulings and said the North Carolina decision may set a precedent for other plaintiff attorneys to follow when filing privacy cases.

"What this case does is substitute the HIPAA standard for a jury's assessment of whether the doctor exercised reasonable care to prevent whatever was going to happen," said Philip H. Lebowitz, a HIPAA lawyer and partner with Philadelphia-based Duane Morris LLP.

He said the legal tactic is one that plaintiff attorneys likely will pick up, particularly in light of a November 2006 ruling by the 5th U.S. Circuit Court of Appeals. That decision was the first at the federal level to affirm that patients cannot sue directly under the statute. But judges intimated that patients could continue to bring privacy claims in state court.

Health lawyer Gregory D. Frost said the North Carolina ruling may be a first step toward using a HIPAA violation as the basis of a lawsuit.

He said the appeals court assumed that HIPAA set the standard for negligent conduct. But other courts, depending on states' legal standards, still could question if the federal regulation was intended to prevent a specific harm to patients, noted Frost, a HIPAA expert with Adams and Reese LLP in Baton Rouge, La.

"It's fair to say the original statute was never meant to set a standard that negligence was to be judged against," he said. "Ultimately we are going to get there, because the people these regulations are designed to protect are the same people who are injured when they are not followed. But it's something that courts might quibble over."

The plaintiff attorney in the case, Larry C. Economos, insisted that HIPAA clearly sets out a duty by which doctors must abide and a baseline for negligent conduct. "This was a doctor who had a duty not to violate [Acosta's] privacy," the Greenville, N.C. attorney said.

The appeals court also rejected the doctor's claim that the patient was essentially filing a medical liability case, Economos said. Judges found that providing the password qualified as an administrative action, not one involving direct patient care, according to the ruling.

Dr. Faber's attorneys declined to comment for the story.

Doctors who might have let their guard down thinking patients cannot sue them under HIPAA need to make sure their policies and procedures for authorized medical records access are tight, legal experts warn.

"The likelihood that individuals may use HIPAA in this way to seek redress warrants people's attention," Lebowitz said.

Back to top


Case at a glance

Heather D. Acosta v. Robin Byrum et al.

Venue: North Carolina Court of Appeals
At issue: Whether a patient can sue a doctor for negligence based on an alleged HIPAA violation. The court said yes.
Potential impact: Legal experts say the case could set a precedent.

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story