Congress intended to preclude private enforcement….
While no other circuit court has specifically addressed this issue, we are not alone in our conclusion that Congress did not intend for private enforcement of HIPAA. Every district court that has considered this issue is in agreement that the statute does not support a private right of action. . . .239
Thus a private right of action may not be implied in HIPAA nor may the federal regulatory scheme be used to fashion a state negligence per se action. However, it does not follow that all jurisdictions will treat HIPAA as irrelevant to state tort claims such as breach of confidence, negligent infliction of emotional distress, negligent misrepresentation, or even simple negligence. For example, in the recent case of Byrne v. Avery Center for Obstetrics and Gynecology, P.C., the court not only denied the defendant’s argument that HIPAA preempted state common law causes of action but also stated:
[T]o the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records.240
Notwithstanding that HIPAA is a “compelled” custom, it has been adopted by most health care providers suggesting that HIPAA-derived norms will be increasingly important in privacy and security litigation.241
B. Causation and Damages Issues
Strict liability breach of confidence actions and HIPAA-informed negligence actions undoubtedly help plaintiffs hold defendants liable for privacy and security breaches. However, plaintiffs still face two linked and persistent problems: proving causation and damages. Many of these issues surface in security breach class actions where they are magnified by Article III standing issues242 and the certification requirements of commonality and
239. Acara v. Banks, 470 F.3d 569, 571 (5th Cir. 2006). 240. Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 102 A.3d 32, 49 (Conn. 2014). 241. Karen J. Maschke, The Implications of the HIPAA Privacy Rule for Quality- Improvement Activities, in HEALTH CARE QUALITY IMPROVEMEN T: ETHICAL AND REGULATORY ISSUES 107, 122 (Bruce Jennings, et al. ed., 2007). 242. See generally Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2347 (2014) (hearing a suit brought by advocacy organizations challenging an Ohio statute that criminalized false statements about candidates during political campaigns); Clapper v.