2016 Liability for Mobile Health & Wearable Technologies 93
VI. PRIVACY-SECURITY LIABILITY EXPOSURE
The Privacy and Security Rules authorized by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), present a compliance- oriented regulatory model and do not provide for a private right of action.227 In 2009, the HIPAA-amending Health Information Technology for Economic and Clinical Health (HITECH) Act included a provision that would allow persons injured by privacy or security breaches to receive compensation based on a “percentage of any civil monetary penalty or monetary settlement.”228 However, this provision has not been acted upon, for reasons that are unclear.229 In contrast to federal law, a small number of state privacy statutes allow for a private right of action. For example, California’s Confidentiality of Medical Information Act (CMIA) provides:
In addition to any other remedies available at law, a patient whose medical information has been used or disclosed … and who has sustained economic loss or personal injury therefrom may recover compensatory damages, punitive damages not to exceed three thousand dollars ($3,000), attorneys’ fees not to exceed one thousand dollars ($1,000), and the costs of litigation.230
Notwithstanding, most plaintiffs injured by a provider or developer data breach will have to rely on common law causes of action.
A. Causes of Action
The traditional common law privacy torts, such as intrusion on seclusion or public disclosure of private facts, are discrete, limited causes of action that provide damage remedies for a limited range of unlawful data collection.231 Dependent on a showing of specific intent, they are also quite difficult to prove.232 Of considerably more utility is the breach of confidence tort that applies to those who disclose information that had been given to them in privacy.233
227. See 45 C.F.R. § 160 (2013); 45 C.F.R. § 164 (2013). 228. 42 U.S.C. § 17939 (2010). 229. Id. 230. CAL. CIV. CODE § 56. 35 (West 2000). 231. RESTATEMENT (SECOND) OF TORTS § 652A-652B, 652H (AM. LAW INST. 1977). 232. See, e.g., Knight v. Penobscot Bay Med. Ctr., 420 A.2d 915 (Me. 1980) (rejecting plaintiff’s appeal of lower court’s ruling that defendants, a hospital, a doctor, a nurse, and an observer, invaded plaintiffs’ privacy); cf. Estate of Berthiaume v. Pratt, 365 A.2d 792 (Me. 1976) (sustaining the administratrix’ appeal of the grant of a directed verdict in favor of the surgeon and ordered a new trial as to the administratrix’ invasion of privacy and assault and battery causes of action involving the photographs of her deceased husband which were taken by the surgeon while her husband was dying). 233. See, e.g., Johns v. Firstar Bank, NA, No. 2004-CA-001558-MR, 2006 Ky. App.