TMI!: HIPAA Informs State Law Negligence Claims

By Paul V. Esposito

Americans value their privacy. They particularly value it regarding medical matters. The reasons are many. A disclosure of private medical information can adversely impact a person’s employment. It can call unwanted attention to a person’s condition. It can impact personal relationships. It can even be downright embarrassing, requiring explanations that some would rather not make.

For Greg Shepherd, it was the latter. He was so embarrassed that he sued his pharmacist for negligent disclosure of information. The Arizona Supreme Court now says that the federal Health Insurance Portability and Accountability Act (HIPAA) may inform his state law claim.  Shepherd v. Costco Whsle. Corp., 482 P.3d 390 (Ariz. 2021).


As Shepherd tells the story, he went to his doctor’s office for a check-up and a prescription refill. While there, his doctor gave him a sample of an erectile dysfunction medication. When Shepherd went to Costco to pick up the refill, a full prescription of the E.D. med was also there. Shepherd rejected the E.D. med and told the Costco employee to cancel the prescription. The employee said he would. But the following month, the same thing happened.

The next day, Shepherd called Costco asking if his ex-wife, with whom he was trying to reconcile, could pick up his regular prescription. A Costco employee approved but did not tell Shepherd that the E.D. med was also awaiting pick-up. When the ex-wife went to the store, a Costco employee offered her both meds.  She refused the E.D. med; she and the employee laughed about it.

Apparently, she wasn’t laughing when she next saw Shepherd. She told him that she knew about the E.D. med and no longer wanted to be with him, ending Shepherd’s hope of reconciliation. And she blabbed to Shepherd’s children and friends about the medication.

Shepherd wasn’t laughing either. He complained to Costco, which acknowledged its violations of HIPAA and Costco privacy policy. Shepherd sued Costco for negligence, breach of fiduciary duty, fraud, negligent misrepresentation, intentional infliction of emotional distress, intrusion upon seclusion, and public disclosure of private facts. The trial court dismissed the complaint on grounds of state law immunity and preemption under HIPAA. The court of appeals affirmed the dismissal of everything but the negligence claim.


Under Arizona statute, a health care provider acting in good faith is not liable for the unauthorized disclosure of medical records information. Supplying a definition missing from the statute, the Supreme Court defined “good faith” as an honest belief and the lack of malice or an intent to defraud or take unconscionable advantage. Whether Costco met the standard remained to be determined.

Costco argued that HIPAA neither created a private right of action for negligence per se nor established a standard of care for negligence. The Court agreed with courts nationwide that HIPAA did not create a private right of action. But it disagreed with Costco that HIPAA precluded state law negligence claims, citing state cases recognizing claims for privacy violations.

The Court also rejected Costco’s argument that by relying exclusively on HIPAA, Shepherd brought an impermissible negligence per se claim. After finding that Costco too restrictively read the complaint, it ruled that the weight of authority recognizes HIPAA’s relevance to state law negligence claims. Without itself defining the standard of care, HIPAA may at least inform the relevant state law standard of duty.

Learning Point:  The amount and availability of electronic medical information out there makes the unauthorized release of it predictable—even inevitable. Given the lack of a federal HIPAA cause of action, more and more states will find ways to incorporate HIPAA into state law negligence claims. Arizona is not the first state to do so. It won’t be the last.

  • Chicago

    Illinois 60603

    10 South LaSalle Street

    Chicago, Illinois 60603

    T: 312.855.1010 TF: 800.826.3505 F: 312.606.7777 Office Managing Partner: Dennis D. Fitzpatrick

  • New York

    New York 10005

    28 Liberty Street 39th Floor

    New York, New York 10005

    T: 212.805.3900 TF: 800.826.3505 F: 212.805.3939 Office Managing Partner: Carl M. Perri

  • Mission Viejo

    California 92691

    27285 Las Ramblas

    Suite 200

    Mission Viejo, California 92691

    T: 949.260.3100 TF: 800.826.3505 F: 949.260.3190 Office Managing Partner: Ian R. Feldman

  • Florham Park

    New Jersey 07932

    100 Campus Drive

    Florham Park, New Jersey 07932

    T: 973.410.4130 TF: 800.826.3505 F: 973.410.4169 Office Managing Partner: Carl M. Perri

  • Michigan City

    Indiana 46360

    200 Commerce Square

    Michigan City, Indiana 46360

    T: 219.262.6106 TF: 800.826.3505 F: 312.606.7777 Office Managing Partners: Paige M. Neel, Kimbley A. Kearney

  • Appleton

    Wisconsin 54914

    4650 W. Spencer Street

    Appleton, Wisconsin 54914

    T: 920.560.4658 TF: 800.826.3505 F: 920.968.4650 Office Managing Partner:

  • Stamford

    Connecticut 06902

    68 Southfield Avenue

    2 Stamford Landing Suite 100

    Stamford, Connecticut 06902

    T: 203.921.0303 TF: 800.826.3505 F: 212.805.3939 Office Managing Partner: Matthew J. Van Dusen

  • Tampa

    Florida 33609

    4830 West Kennedy Boulevard, One Urban Center

    Suite 600

    Tampa, Florida 33609

    T: 813.509.2578 TF: 800.826.3505 F: 312.606.7777 Office Managing Partner: Dennis D. Fitzpatrick

  • San Francisco

    California 94111

    100 Pine Street

    Suite 1250

    San Francisco, California 94111

    T: 415.287.2744 TF: 800.826.3505 F: 949.260.3190 Office Managing Partner: Ian R. Feldman

  • Houston

    Texas 77019

    2929 Allen Parkway

    American General Center, Suite 200

    Houston, Texas 77019

    T: 346.229.4612 TF: 800.826.3505 F: 312.606.7777 Office Managing Partner: Ramy P. Elmasri

  • Dallas

    Texas 75201

    325 N. Saint Paul Street

    Suite 3100

    Dallas, Texas 75201

    T: 469.942.8635 TF: 800.826.3505 F: 312.606.7777 Office Managing Partner: Ramy P. Elmasri

  • Boca Raton

    Florida 33434

    7777 Glades Road

    Suite 405

    Boca Raton, Florida 33434

    T: 561.765.5305 TF: 800.826.3505 F: 312.606.7777 Office Managing Partner: Dennis D. Fitzpatrick