When physicians and other health care providers wrongfully disclose personal health information, patients often ask if they have any recourse against the providers. HIPAA – popularly known as the statute that protects personal health information – in fact does not provide a private cause of action for health information breaches. Instead, HIPAA allows individuals to submit complaints to the Department of Health and Human Services’ Office of Civil Rights, which investigates complaints and imposes penalties where appropriate. HIPAA notwithstanding, South Carolina patients are not without recourse for wrongful disclosures.
South Carolina recognizes a cause of action for breach of confidentiality by a health care provider. (For you lawyers out there, the operative case is McCormick v. England, 328 S.C. 627 (S.C. Ct. App. 1997).) SC courts have acknowledged that a duty of confidentiality exists between a physician and his patient, even though SC does not have a physician-patient privilege. A physician’s breach of this duty, “in the absence of a compelling public interest or other justification for the disclosure,” creates an actionable tort. The duty of confidentiality is not absolute, and whether a physician was justified in making a disclosure is a question of fact. To date, the cause of action for breach of confidentiality has only been held to apply to physicians.
Breach of confidentiality claims are distinguishable from invasion of privacy claims. Invasion of privacy consists of (1) an intentional public disclosure of private facts, (2) the disclosure of which would be “highly offensive and likely to cause serious mental injury to a person of ordinary sensibilities.” A key component of invasion of privacy is the publicity: it must involve disclosure to the public, not merely disclosure to an individual or a small group of people. Accordingly, a breach of confidentiality claim can exist where an invasion of privacy claim does not. Most of the claims related to inappropriate disclosures by health care providers are likely to be breaches of confidentiality, not invasions of privacy.
An unresolved issue is whether HIPAA may be relevant to breach of confidentiality claims. Courts in other states have found that, to the extent that health providers follow HIPAA’s mandated procedures for handling their patients’ information, HIPAA may inform the standard of care in breach of confidentiality cases. In 2011, the United States District Court for the District of South Carolina (while rejecting the idea that HIPAA creates a duty of confidentiality) noted that whether HIPAA could be used as a standard of care is a “potentially complex question of law,” which it declined to answer. Future patient claims for breach of confidentiality may shed more light on the role of HIPAA in private actions.
From the provider’s perspective, it’s important to remember that a disclosure of personal health information creates two fronts of potential exposure: on the public side, a HIPAA investigation by OCR; and on the private side, a patient’s lawsuit for breach of confidentiality. Whether the disclosure resulted from careless handling of data files, a hack, or wagging tongues at the front desk, the provider will need to be prepared to defend against both fronts.