Faber v. Ciox Health, LLC, 2019 WL 6596501 (6th Cir. 2019)
A group of patients brought state-law claims against a medical records provider, alleging that the provider charged them more than allowed by HIPAA and the state’s medical records law for access to their medical records. As background, the HIPAA privacy rule requires covered entities (including health plans and most health care providers) to provide individuals, upon request, access to protected health information (PHI) about them in designated record sets maintained by or for the covered entity. HIPAA obligates business associates like the medical records provider to disclose electronic PHI to the covered entity, the requesting individual, or a third party designated by the individual in response to an individual’s request (see our Checkpoint article). HHS has issued guidance explaining the access right (see our Checkpoint article) and limitations on fees that can be charged for access and copies (see our Checkpoint article).
Although the patients asserted that the fees violated HIPAA, they brought their claims under state law because, the court noted, HIPAA does not authorize private rights of action. But the court held that the state-law claims failed because the state’s “common law is no substitute for the private right of action that Congress refused to create in HIPAA.” The court dismissed claims based on negligence, implied contract, and unjust enrichment because the patients could not establish that the medical records provider owed them a state-law duty to not overcharge for access to their medical records. The court also ruled that, although the state’s medical records law authorized a private right of action, its limitation on fees applied only to hospitals and not to the medical records provider. Thus, the court dismissed all the patients’ claims.
EBIA Comment: Although HHS has provided detailed guidance on HIPAA’s individual access right, it is unclear how individuals may assert that right given the absence of a private right of action under HIPAA. However, the absence of a private right of action should not be viewed as a free pass. Courts are split on whether individuals can use state law to vindicate their HIPAA rights (see our Checkpoint article). And covered entities and business associates should be mindful of enforcement activity under HHS’s right of access initiative (see our Checkpoint article) and should review the HHS guidance carefully. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Section XXVII.B (“Right to Access PHI in Designated Record Set”). You may also be interested in our webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (recorded on 2/20/19).
Contributing Editors: EBIA Staff.