A recent federal court lawsuit by a private individual accusing Laboratory Corporation of America (LabCorp) of violating the Health Insurance Portability and Accountability Act was dismissed, confirming the well-established premise that HIPAA does not establish a private right of action for violations. This result must be distinguished from recent cases brought under various states’ laws in which HIPAA was deemed to establish a general standard of care for healthcare providers.The U.S. District Court for the District of Columbia dismissed the lawsuit by plaintiff Hope Lee-Thomas on June 15. She had alleged that LabCorp violated HIPAA by failing to place partitions around the computer work stations where patients enter their personal health information, which potentially permits others nearby to view the information. The Court found that the plaintiff could not maintain an action based solely on HIPAA, which can be enforced only by the U.S. Department of Health and Human Services and individual states’ attorneys general.
As most recently discussed here, a number of state courts have held that HIPAA’s requirements establish a de facto standard of care that can be used as a predicate for private actions for negligence, breach of the duty of confidentiality, infliction of emotional distress, and other claims.