TMI!: HIPAA Informs State Law Negligence Claims

By Paul V. Esposito

Americans value their privacy. They particularly value it regarding medical matters. The reasons are many. A disclosure of private medical information can adversely impact a person’s employment. It can call unwanted attention to a person’s condition. It can impact personal relationships. It can even be downright embarrassing, requiring explanations that some would rather not make.

For Greg Shepherd, it was the latter. He was so embarrassed that he sued his pharmacist for negligent disclosure of information. The Arizona Supreme Court now says that the federal Health Insurance Portability and Accountability Act (HIPAA) may inform his state law claim.  Shepherd v. Costco Whsle. Corp., 482 P.3d 390 (Ariz. 2021).

Facts

As Shepherd tells the story, he went to his doctor’s office for a check-up and a prescription refill. While there, his doctor gave him a sample of an erectile dysfunction medication. When Shepherd went to Costco to pick up the refill, a full prescription of the E.D. med was also there. Shepherd rejected the E.D. med and told the Costco employee to cancel the prescription. The employee said he would. But the following month, the same thing happened.

The next day, Shepherd called Costco asking if his ex-wife, with whom he was trying to reconcile, could pick up his regular prescription. A Costco employee approved but did not tell Shepherd that the E.D. med was also awaiting pick-up. When the ex-wife went to the store, a Costco employee offered her both meds.  She refused the E.D. med; she and the employee laughed about it.

Apparently, she wasn’t laughing when she next saw Shepherd. She told him that she knew about the E.D. med and no longer wanted to be with him, ending Shepherd’s hope of reconciliation. And she blabbed to Shepherd’s children and friends about the medication.

Shepherd wasn’t laughing either. He complained to Costco, which acknowledged its violations of HIPAA and Costco privacy policy. Shepherd sued Costco for negligence, breach of fiduciary duty, fraud, negligent misrepresentation, intentional infliction of emotional distress, intrusion upon seclusion, and public disclosure of private facts. The trial court dismissed the complaint on grounds of state law immunity and preemption under HIPAA. The court of appeals affirmed the dismissal of everything but the negligence claim.

Analysis

Under Arizona statute, a health care provider acting in good faith is not liable for the unauthorized disclosure of medical records information. Supplying a definition missing from the statute, the Supreme Court defined “good faith” as an honest belief and the lack of malice or an intent to defraud or take unconscionable advantage. Whether Costco met the standard remained to be determined.

Costco argued that HIPAA neither created a private right of action for negligence per se nor established a standard of care for negligence. The Court agreed with courts nationwide that HIPAA did not create a private right of action. But it disagreed with Costco that HIPAA precluded state law negligence claims, citing state cases recognizing claims for privacy violations.

The Court also rejected Costco’s argument that by relying exclusively on HIPAA, Shepherd brought an impermissible negligence per se claim. After finding that Costco too restrictively read the complaint, it ruled that the weight of authority recognizes HIPAA’s relevance to state law negligence claims. Without itself defining the standard of care, HIPAA may at least inform the relevant state law standard of duty.

Learning Point:  The amount and availability of electronic medical information out there makes the unauthorized release of it predictable—even inevitable. Given the lack of a federal HIPAA cause of action, more and more states will find ways to incorporate HIPAA into state law negligence claims. Arizona is not the first state to do so. It won’t be the last.