Cleveland HIPAA Violation Lawyer

As a Cleveland HIPAA violation lawyer, I have researched the federal Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Ohio Revised Code and common law in order to prepare jury instructions for trial of a case commonly referred to as a “HIPAA violation lawsuit.”  The term “HIPPA violation lawsuit” is actually a misnomer since the HIPAA Act does not include a private right of action.  Indeed, pleading a claim as a HIPAA violation can lead to dismissal in some Ohio courts.  Instead, claims arising out of intentional or negligent disclosure of a patient’s protected health information are brought pursuant to a common law claim for breach of the patient’s right to privacy.  Breach of fiduciary duty might apply as well.

The Ohio Jury Instructions (OJI) do not contain instructions for violation of the right to privacy, nor are there any model instructions for such claims.  So, I prepared the following instructions using Ohio common law and the Restatement (Second) of Torts.  I thought I would share these original jury instructions with my colleagues who find themselves in a similar boat.  These instructions apply specifically to a scenario where a hospital employee snoops into the records of a patient.  But neither intent nor malice is a required element of the claim.  So, these instructions would apply equally to a scenario where clerical staff at a hospital inadvertently or negligently discloses a patient’s records to a third person without authority to do so.

Here are the proposed instructions:

VIOLATION OF THE RIGHT TO PRIVACY

  1. This is a claim brought by the Plaintiff [insert name] to recover damages for injuries claimed to have been caused by a violation of her right to privacy by the Defendant [insert name].  The Plaintiff must prove by the greater weight of the evidence that the Defendant disclosed her protected health information to a third party without authorization to do so.
  2. HEALTH INFORMATION DEFINED. Health information is the term given to health-related information that is created, received, stored, or transmitted by hospitals, their employees and other healthcare providers in the course of health care, healthcare operations and payment for healthcare services.  Protected health information relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
  3. THE PATIENT’S RIGHT TO PRIVACY. Health information is protected both under the federal and state privacy laws.  Protected health information includes all individually identifiable health information, including demographic data, medical histories, test results, insurance information, and other information used to identify a patient or provide healthcare services or healthcare coverage.
  4. ACCESS OF HOSPITAL EMPLOYEES. A hospital employee can access a particular patient’s records only for a business reason related to treatment, payment or health care operations.
  5. SAFEGUARDS REQUIRED. Hospitals must implement policies and procedures to prevent members of its workforce who do not have authorization from obtaining access to patient’s electronic protected health information.  Hospitals must implement physical and technical safeguards to ensure the confidentiality of all protected health information that it creates, receives or maintains.  Hospitals are also required to protect against any reasonably anticipated unauthorized use or disclosure of patients’ protected health information.
  6. CONFIDENTIALITY DEFINED. Confidentiality means that health information is not made available or disclosed to unauthorized persons or processes.
  7. PHYSICAL SAFEGUARDS. Physical safeguards are physical measures, policies, and procedures to protect a hospital’s electronic medical records from unauthorized intrusion.
  8. TECHNICAL SAFEGUARDS. Technical safeguards are the technology, and the policies and procedures for its use, that protect electronic medical records and control access to it.
  9. FOR PLAINTIFF. If you find that the Defendant [insert name] disclosed Plaintiff [insert name]’s protected health information to its employee without authorization to do so, then you will decide what amount of money will compensate Ms. [insert name]  for the violation of her right to privacy.
  10. FOR DEFENDANT. On the other hand, you may find for the Defendant if Plaintiff failed to prove to you by the greater weight of the evidence that Defendant disclosed Plaintiff [insert name]’s protected health information to its employee without authorization to do so.

(SOURCE: 45 CFR secs. 164.304, et seq.; Biddle v Warren General Hospital (1999), 86 Ohio St.3d 395.)

DAMAGES

  1. GENERAL. If you find for the Plaintiff, then you will decide the amount of money that will fairly compensate her.
  2. One who has established a cause of action for invasion of his privacy is entitled to recover damages for the following:

(a)  the harm to her interest in privacy resulting from the invasion;

(b)  her mental distress, including embarrassment, anger, humiliation, and anguish.

(c)  (Note: special damages, such as costs of counseling, public relations or expenses related to identity theft, may also be compensable.)

(SOURCE: Restatement (Second) of Torts sec. 652H.)

A final thought about vicarious liability.  In a snooping case, the hospital will attempt to avoid any accountability by arguing that the employee acted outside the scope of their employment in snooping on records.  Unfortunately, there is at least one Ohio court that has adopted this specious line of reasoning.  The foregoing instructions seek to put the onus directly on the hospital by showing that the hospital owes a duty to “ensure” that unauthorized snooping does not occur.  In this HIPAA violation lawyer’s opinion, that is the proper rule of law as clearly set forth in the federal regulatory framework.  In addition to the foregoing instructions, a privacy lawyer will want to include a standard instruction on vicarious liability as set forth in OJI CV 417.09; 423.03.  The applicability of vicarious liability will be addressed in a forthcoming blog.

For more information about jury instructions for HIPAA violations, contact us today at Mishkind Kulwicki Law Firm.