HIPAA Enforcement Steps Up

When the Health Insurance Portability and Accountability Act (HIPAA) became effective in 2003, many health care providers scrambled to create the privacy notices required by the Act and didn't give HIPAA a second thought. However, a recent spate of private HIPAA litigation is raising the concern of hospitals and other health care providers. Although HIPAA does not provide a private right of action, several courts have recently been allowing private plaintiffs to use HIPAA standards to prove liability for failure to sufficiently protect the plaintiffs' sensitive medical data. Courts in North Carolina and Utah have recognized a common law duty of confidentiality by the health care provider, and have based that duty on the HIPAA standard of care to be applied to medical data. In addition, the U.S. Department of Health and Human Services, which enforces HIPAA, has been more actively enforcing its requirements, and instituting new enforcement measures such as HIPAA compliance audits. Health care providers would be well-advised to review the data security of their patients personal information to guard against potential liability and regulatory enforcement actions.