While HIPAA does not in and of itself create a private cause of action, a growing body of cases in both federal and state courts outside of Texas suggests that a HIPAA violation causing clear harm to a plaintiff may support a lawsuit by providing grounds for some other private claim. Plaintiffs who have shown intentional breaches or especially private disclosures have had recent notable success in persuading courts to treat their health care providers’ HIPAA-based duties as an applicable standard of care to support their claims.
An Indiana court of appeals also recognized a claim factually predicated on a HIPAA violation in Hinchy v. Walgreen Co. There, the court did not expressly discuss whether HIPAA violations can give rise to other private claims; instead, the court admonished the defendant’s pharmacist employee for breaching “one of her most sacred duties” by purposefully divulging the plaintiff’s birth control prescription records to her husband, the plaintiff’s ex-boyfriend. The court affirmed a $1.8 million award to the plaintiff, whose claims against Walgreens included negligent retention and supervision as well as Indiana statutory claims of negligence by professional malpractice and public disclosure of private facts.
These cases differ significantly from the more typical data security breach. They illustrate, however, that courts may be increasingly willing to use HIPAA violations to support common law or state statutory claims, at least where the violation and harm to a plaintiff are clear.