by Jackie Huchenski and Linda Abdel-Malek
The National Law Journal : June 19, 2000.
AS MANY WHO HAVE followed developments in the proposed privacy rule implementing the privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA) are aware, the U.S. Department of Health and Human Services, in promulgating the privacy rule, did not allow individuals a private right of action in order to enforce violations of the privacy rule.1
The reason was that Congress, in enacting the HIPAA statute in 1996, did not grant such authority to HHS. Pending finalization of the rule, however, health care lawyers should be aware that the lack of such a right may not entirely preclude individuals from bringing actions in cases in which identifiable health information has been disclosed, in violation either of HIPAA or of other state laws that directly or indirectly protect the privacy of such information.
In fact, HHS Secretary Donna E. Shalala, in an act that may have exceeded her authority, provided in the privacy rule that all contracts entered into between health care entities covered by the rule and their business partners must explicitly provide that individuals whose identifiable health information is disclosed under the contract are to be considered third-party beneficiaries of the contract. The potential liability faced by "covered entities"2 and their "business partners"3 does not end there; individuals may also be able to bring actions through their states' consumer protection laws, through state health care statutes that provide for a private right of action when violations of state law protecting health care information occur, and even through common-law theories of invasion of privacy and tort violations.
Although controversy surrounds the issue of HIPAA's third-party beneficiary provisions, as well as the notion that individuals may potentially seek redress in the courts in unprecedented numbers after finalization of the rule, it is important to keep in mind that the HIPAA privacy rule is not yet final and that, depending on the outcome, the result may be either an increase or a decrease in the rights of individuals under the rule. The lack of a private right of action in the privacy rule may have seemed at first blush a blessing for covered entities and their business partners by imposing one less obligation on them. However, the lack of clarity in the rule appears to have created the potential for a morass of judicial interpretation of various state laws.
The secretary's explanation
Secretary Shalala, in explaining her reasoning for not including a private right of action in the HIPAA privacy rule, stated:
"Only if we put the force of law behind our rhetoric can we expect people to have confidence that their health information is protected, and ensure that those holding health information will take their responsibilities seriously. In HIPAA, Congress did not provide such enforcement authority. There is no private right of action for individuals to enforce their rights, and we are concerned that the penalty structure does not reflect the importance of these privacy protections and the need to maintain individuals' trust in the system."4
Although acknowledging that Congress did not provide for a private right of action when enacting HIPAA in 1996, Secretary Shalala has arguably circumvented her lack of authority in creating such a right by mandating that all contracts between covered entities and their business partners include a provision stating that individuals whose protected health information5 is disclosed under the contract are intended third-party beneficiaries of the contract.6
The rule further provides that covered entities must enter into such contracts with their business partners whenever such a disclosure is to be made, except in the limited circumstance in which the disclosure is made for purposes of a referral or consultation for treatment. The obligation to enter into a contract ostensibly will cover the majority of disclosures of protected health information that a covered entity might make to its business partners and, given the fact that most states allow intended third-party beneficiaries to recover for violations of contracts, the universe of potential liability could be great.
Third-party beneficiary law
Pursuant to the Restatement (2d) of Contracts, the rights of third-party beneficiaries are determined based on a test of intent to benefit. Essentially, an "intended" beneficiary acquires rights under a contract if the contract recognizes that a right to performance in the beneficiary is appropriate in order to effectuate the parties' intent, and either the performance of the contract will satisfy an obligation of the promisee to pay money to the beneficiary or the circumstances indicate that the promisee intends to give the beneficiary the benefit of the promised performance.7 An "incidental" beneficiary acquires no such right, and under the Restatement, only an "intended" beneficiary may bring an action to enforce the contract.8
The majority of jurisdictions have adopted the Restatement's intent test, and courts have interpreted the test with varying degrees of stringency. The general rule among jurisdictions that have adopted the Restatement's test appears to be that if the parties to the contract make an express statement that the third party is an intended beneficiary, the third party has an enforceable right under the contract.9 Additionally, the identity of the third-party beneficiary need not be specifically set forth in the contract in order for the parties to have intended a benefit; the intent to benefit a third party generally is all that needs to be expressed in the contract in order to give an individual the benefit of performance.10
Presumably, then, the fact that HIPAA requires contracts between covered entities and their business partners to explicitly state that "individuals whose protected health information is disclosed are intended beneficiaries of the contract"11 will make it more likely courts will find that affected individuals have standing to bring an action under the contract.
The question of how an individual who is not identified as a beneficiary would even be made aware that his or her information has been disclosed in violation of a contract is answered in the HIPAA privacy rule itself: The rule provides individuals with the right to an accounting of how their protected health information has been disclosed by a covered entity.12 The liability of a covered entity, as compared with a business partner, for violations of. the rule is an area of some concern already. It should be an area of increased concern in the context of third-party beneficiary actions because, although a third-party beneficiary would ostensibly sue a business partner for breach of contract, such a business partner may try to seek indemnification from the covered entity.
Is state law pre-empted?
The HIPAA privacy rule generally preempts state laws that are contrary to its provisions, except in certain circumstances, including if the state law at issue is more stringent than the HIPAA privacy rule. Secretary Shalala mandated a five-part test in the privacy rule in order for an entity to determine whether a particular state law has been pre-empted by the rule.13 As part of this five-part test, the secretary has said, a state law is "more stringent than" the privacy rule, and therefore not pre-empted, if the state law provides greater penalties for violations.14 Taken to its natural conclusion, then, a state law, that provides for a private right of action in cases in which identifiable health information about an individual is disclosed in violation of the state statute would likely not be preempted by the HIPAA privacy rule. The secretary pointed out in the HIPAA privacy rule that all states recognize in tort law a common-law or statutory right to privacy.15 Additionally, most states recognize a common-law duty of confidentiality with respect to health care providers-one type of covered entity.16 Courts have generally allowed recovery under a variety of common-law theories if such confidentiality is breached by a provider of care, Including the breach-of-confidentiality tort, invasion of privacy and breach of fiduciary duty.17
Most recently, the New York Supreme Court, Appellate Division, found a similar common-law right in an action by an individual against a health maintenance organization for the disclosure of information from her patient file by an employee of the HMO. Although no private right of action was authorized under the statutes which were allegedly violated, the court found that as a policy matter, the statutes imposed a duty of confidentiality between a health plan, acting through its employee, and its patients, and that such a duty implied a "covenant of trust and confidence that is inherent In the physician-patient relationship, the breach of which Is actionable as a tort."18
Some states allow patients who have been harmed by unauthorized disclosures of their health care information the right to recover damages in a civil proceeding pursuant to state statutes.19 For example, California allows for limited compensatory and punitive damages upon violation of its Confidentiality of Medical Information Act, which requires health care providers and employers to obtain written authorization from patients before releasing identifiable health information.20 Montana and Wyoming allow plaintiffs to recover reasonable attorney fees and actual costs of litigation.21 Maryland, Texas and Washington allow for a recovery of actual damages when an individual's health information is disclosed in violation of state statute.22 Finally, the New York; State Assembly has proposed a bill, the Health Information Privacy Act, which would add an article to the state's Public Health. Law creating a private cause of action for the misuse of identifiable health information. Specifically, the proposed law would impose criminal penalties and civil liability including, in the court's discretion, injunctions, compensatory damages, punitive damages and attorney fees and costs.23
Consumer protection laws
All 50 states have some form of consumer protection statute, commonly referred to as Unfair and Deceptive Acts and Practices (UDAP) statutes.24 Even when such statutes detail specific prohibited practices, they often also prohibit other unfair or deceptive practices more generally, and almost all such statutes authorize a private cause of action for violations.25 The violation of another state or federal statute may be considered a per se violation of a state's UDAP statute in many states. An argument can be made that these statutes provide individuals with a private right of action for violations of the HIPAA privacy rule.
For example, state and federal laws meant to protect the public often incorporate UDAP remedies. However, even violation of a statute that does not create any private right of action can be the basis for a UDAP claim. In Yale New Haven Hospital v. Mitchell,26 the Connecticut Superior Court ru1ed that plaintiffs had standing to sue under the protections of the Hill-Burton Act, which was intended by Congress to protect the rights of indigent individuals, regardless of the fact that Congress had not expressly created a private right of action in the statute. The court reasoned that because the purpose of the law was to protect the public good, and because Congress had not expressed any intent to deny such a remedy, then a private cause of action could be brought under Connecticut's Unfair Trade Practices Act for violations of the Hill-Burton Act.
The same could be said about Congress in the context of HIPAA. Additional state laws creating a per se private cause of action for violations of other state or federal laws include California, Massachusetts, Missouri and Mississippi.27 Even in the absence of specific UDAP statutes or regulations that allow for a per se private right of action, courts in New York and North Carolina have found such a right of action for violations of other statutes.28 This per se approach has been rejected by a few states, such as Kentucky. Illinois and Ohio, whose courts have held that there is no UDAP violation if the federal or state statute in question does not provide a private right of action.29
Considerations for counsel
Health care attorneys should become familiar with the HIPAA privacy rule, which is scheduled to become final sometime this year, and should also consider the following in attempting to assist their clients regarding the potential impact of the rule:
Regardless of how the debate taking place on these issues is resolved, one thing is certain: it is vital for legal practitioners in the health care field to stay abreast of any developments in this arena. Ms. Huchenski is a partner at New York's Moses & Singer L.L.P. and co-chair of the firm's e-health law practice. Ms. AbdelMalek is an associate in the firm's health care practice group.
Footnotes:
1 The privacy rule was proposed on Nov. 3, 1999, and generally is intended to protect Individually identifiable health information that is either transmitted or maintained electronically. The comment period for the rule closed on Feb. 17, and the rule is not yet final. See 64 Fed. Reg. 59918.
2 A "covered" entity is defined in the HIPAA privacy rule to include health care providers, health plans and health care clearinghouses that transmit any health information in electronic form. See privacy rule at § 160.102. All citations to the privacy rule are intended to be to the proposed version of the rule.
3 A "business partner" is defined in the rule as "a person to whom a covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of. a function or activity for the covered entity. See § 164.504 of privacy rule.
4 64 Fed. Reg. at 59924.
5 "Protected Health Information" is defined in the rule as "individually identifiable health information that is or has been electronically transmitted or electronically maintained by a covered entity and includes such information in any other form." Id.
6 Privacy rule at § 164.506(e)(2)(ii)(A).
7 See Restatement (2d) Contracts, § 302 and ac companying comments.
8 Id. at §~ 302, 315.
9 See. e.g., Moosehead Sanitary District v. S.G. Phillips Corp., 610 F.2d 49 (1st Cir. 1979); Ridgway v. Ford Dealer Computer Service Inc., 114 F.3d 94 (6th Cir. 1997); cf Denman v. Peoples Heritage Bank Inc.. 704 A.2d 411 (S. Ct. Me. 1997). 10 See Finch. Pruyn & Co. Inc. v. M. Wilson Control Service Inc.. 658 N.Y.S. 2d 496 (App. Div. 3d Dept. 1997) (it is sufficient for the third party to be identifiable as beneficiary of promised performance); see also Restatement (2d) of Contracts, §302(2).
11 Privacy rule at § 164.506(e)(2)(ii)(A).
12 Id. at § 164.515.
13 Id. at § 160.203.
14 Id. at § 160.202.
15 64 Fed. Reg. at 60008.
16 See Lawrence Gostin, "Health Information Privacy." 80 Cornell L. Rev. 451, 508 (1995).
17 Id.
18 Jane Doe v. Community Health Plan-Kaiser Corp.. No. 85529, 2000 N.Y. App. Div. Lexis 5498 (N.Y. App. Div. 3d Dept., May 11. 2000).
19 See generally, L. Dahm, 50 State Survey on Patient Health Care Record Confidentiality, American Health Lawyers Association, June 1999.
20 See Cal. Civ. Code § 56. et seq. (2000).
21 See Mont. Code Ann. § 50-16-553 (1999); Wyo. Stat. Ann. § 35-2-616 (2000).
22 See Md. Ann., Health-General § 4-309 (1999); Tex. Health & Safety Code Ann. § 241.156 (2000); Wash. Rev. Code § 70.02.170(2000).
23 See New York state A.B. 4473, Feb. 10, 1999. (24) See generally. Unfair and Deceptive Acts and Practices (4th ed), National Consumer Law Center.
© 1999 - Moses & Singer LLP all rights reserved.