Skip to content

Internet Explorer is no longer supported by this website.

For optimal browsing we recommend using Chrome, Firefox or Safari.


Avoid the Growing Pitfalls of Medical Privacy Litigation

February 2006


Avoid the Growing Pitfalls of Medical Privacy Litigation

February 2006

Medical privacy litigation is growing rapidly in Ohio. In the wake of two major changes in the law in this area, medical providers and other businesses that maintain protected health information (“PHI”) such as medical records are seeing an increasing number of lawsuits alleging improper disclosures of such confidential information. This new wave of potential liability presents several avoidable pitfalls for Ohio businesses and individuals.

The two major changes in the law of medical privacy, as it relates to Ohio litigants, are: (1) the watershed case of Biddle v. Warren General Hosp. (1999), 86 Ohio St.3d 395; and (2) the passage of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

The 1999 Biddle case recognized a new and independent tort under Ohio law arising from the unauthorized, improper disclosure of confidential information to third parties.

The federal HIPAA privacy rules, which took effect on April 14, 2003, provide a number of requirements whereby “covered entities” (entities that routinely handle PHI) must take certain steps to avoid improperly disclosing confidential information. See 45 C.F.R. Parts 160 and 164, et seq. These HIPAA regulations include requirements that covered entities give individuals notice of their privacy practices, try to obtain written acknowledgment of receipt of the notice, and obtain authorizations when applicable. Furthermore, covered entities must limit disclosure of confidential information to certain designated activities such as health care operations, patient care and payment.

The combined effect of Biddle and HIPAA on medical privacy litigation in Ohio has only begun to appear. Recent developments show that plaintiffs are finding more opportunities to file litigation alleging improper disclosure of PHI.

For example, in Gomcsak v. Dawson, Cuyahoga County, Ohio Court of Common Pleas, Case No. 481082, filed September 9, 2002, plaintiff’s medical records were subpoenaed by her husband’s attorney during their divorce proceedings. Without plaintiff’s authorization, a report was provided by her social worker and medical records were released by her gynecologist pursuant to the subpoena. Thereafter, pla intiff filed her Complaint asserting that defendants (the social worker and her gynecologist) breached their duty of confidentiality. Although the social worker settled with plaintiff on the day of trial, a jury rendered a verdict against the gynecologist for $80,000.

As the Gomcsak case demonstrates, the growing field of medical privacy can be a litigation trap for the unwary. Covered entities must be careful when releasing PHI to third parties involved in litigation. In this situation, a subpoena alone will usually not suffice to release PHI. PHI can generally only be released when the patient has expressly or impliedly authorized the release, or pursuant to a court order. See Pacheco v. Ortiz (1983), 11 Ohio Misc. 2d 1.

In order to prevent such medical privacy lawsuits, it is important that covered entities be aware of the basic requirements of HIPAA, including: (1) notifying patients about their privacy rights and how their information can be used; (2) adopting and implementing privacy procedures such as the use of consent forms; (3) training employees so that they understand the privacy procedures; (4) designating an individual to be responsible for seeing that the privacy procedures are adopted and followed; and (5) securing patient records containing PHI so that these records are not readily available to employees who do not require access.

Medical privacy litigation can also arise from acts of vendors and related businesses. HIPAA addresses the relationship between covered entities and their “business associates” – contractors or other nonemployee affiliates hired to do the work of, or for, a covered entity that involves the use or disclosure of PHI. Covered entities are required to include specific provisions in agreements with business associates to safeguard PHI, but they are not required to oversee the means by which their business associates carry out privacy safeguards or the extent to which they abide by the privacy requirement of the contract. However, if a covered entity discovers a material breach or violation of the contract by the business associate, it must take reasonable steps to cure the breach or end the violation, and, if unsuccessful, potentially terminate the contract with the business associate.

Another area of concern in medical privacy litigation arises when a covered entity becomes involved in a legal proceeding as either the plaintiff or defendant. In such a scenario, the covered entity may generally use or disclose PHI for purposes of the litigation. The covered entity, however, must make reasonable efforts to limit such uses and disclosures to the minimum necessary to accomplish its intended purpose.

Finally, medical privacy litigants should be aware that HIPAA has been consistently interpreted to prohibit a private right of action. See Johnson v. Quander, 370 F. Supp. 2d 79, 99 (D. D.C. 2005); O’Donnell v. Blue Cross Blue Shield of Wyo., 173 F. Supp. 2d 1176, 1179-81 (D. Wyo. 2001). Therefore, although HIPAA regulations can be used as standards for certain types of conduct, these regulations cannot generally serve as a basis for removal to federal court based on federal question jurisdiction. The statute does, however, permit a plaintiff to file a complaint with the Department of Health and Human Services, Office of Civil Rights (the government agency responsible for enforcing HIPAA). Such complaints can potentially lead to civil and criminal penalties against the violator.

For more information, please contact a member of Tucker Ellis & West LLP’s Professional & Products Liability Group.

1150 Huntington Building
925 Euclid Avenue
Cleveland, OH 44115-1414
216-592-5000 (phone)
216.592.5009 (facsimile)

This Report has been prepared by Tucker Ellis & West LLP for the information of our clients and friends. Although prepared by professionals, this update should not be utilized as a substitute for legal counseling in specific situations. Readers should not act upon the information contained herein without professional guidance.

© Tucker Ellis & West LLP


Related News

Insight From the Inside

Karen E. Ross, published in OACTA Quarterly Review More