While HIPAA protects the health information of individuals, it does not create a private cause of action for those aggrieved (65 Fed. Reg. 82566).  This is made abundantly clear from the commentary to the regulations and HIPAA’s legislative history. And while many federal district courts have dismissed individual plaintiffs’ lawsuits under this rule, the Fifth Circuit, in the case of Acara v. Banks (5th Cir. Nov.13, 2006), has become the first federal appellate court to affirm the ruling. The Fifth Circuit supported its decision by noting that the U.S. Department of Health and Human Services was granted comprehensive enforcement powers under HIPAA through its Office of Civil Rights.
Enforcement by regulators, rather than through private actions, hopefully allows for a uniform national standard with which providers can comply and that consumers will understand. By contrast, private causes of action would result in the competing interpretations resulting less certainty and clarity.
What are the patient’s rights under HIPAA? Under HIPAA, patients have the right to:
·     Receive a privacy notice to inform them about how protected information will be used and disclosed;
·     Request that uses and disclosure of protected information be restricted (covered entities are not required to always agree to restrictions);
·     Inspect, copy and amend their medical records (providers are allowed to charge a reasonable fee for copying expenses);
·     Get an accounting of the disclosure of their protected information for the past six years; and
·     File a complaint.
But then…there’s always State law. State law, however, may arguably provide other theories of liability, such as violations of other statutory confidentiality restrictions, slander, intentional infliction of emotional distress, casting in a false light, etc. And remember that such HIPAA restrictions apply in employer use of workers’ protected health information in addition to that of consumers.  Rather than a straightforward “HIPAA lawsuit,†you are much more likely to see HIPAA’s privacy requirements to bolster claims for other breaches of confidentiality and privacy rights under Texas law.