Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
35 4. In an amount of less than $50,000 for a vio- lation in which it is established that the violation was due to willful neglect and was not corrected during the 30-day period beginning on the first date a covered entity or business associate liable for the penalty knew or by exercising reasonable diligence would have known that a violation had occurred.331 The Secretary is permitted to consider a num- ber of mitigating and aggravating factors in de- termining the amount of a CMP,332 to settle any issue or compromise any penalty,333 and to collect any penalty including by a civil action brought in the appropriate federal district court.334 As of May 31, 2012, the OCR of HHS had in- vestigated and resolved over 16,259 cases with most complaints being filed against private prac- tices, general hospitals, outpatient facilities, health plans, and pharmacies.335 Prior to HITECH, most of the alleged HIPAA violations did not result in an assessment of actual mone- tary damages.336 Even in cases in which penalties are assessed, complainants generally do not re- ceive a portion of the CMPs collected from covered entities or business associates. C. Criminal Penalties It is important to note that although persons such as employees or other individuals who are not covered entities or business associates may not be held liable for CMPs, they are subject to possible criminal penalties under HIPAA.337 Criminal penalties may be imposed for viola- tions of HIPAA when a person knowingly violates HIPAA by obtaining and using a unique health identifier; by obtaining individually identifiable health information relating to an individual; or disclosing IIHI to another person.338 A clear 331 45 C.F.R. § 160.404(b)(2)(iv)(A) (2013). 332 45 C.F.R. § 160.408 (2013). 333 45 C.F.R. § 160.416 (2013). 334 45 C.F.R. § 160.424(b) (2013). See 42 U.S.C. § 1320a-7a(f) (providing for the disposition of CMPs that are recovered). 335 U.S. DEPâT OF HEALTH AND HUMAN SERVICES, HEALTH INFORMATION POLICY, ENFORCEMENT HIGHLIGHTS, available at http://www.hhs.gov/ocr/ privacy/hipaa/enforcement/highlights/index.html. 336 Brill, supra note 323, at 2129 (article published prior to HITECHâs amendments to HIPAA). 337 HITECH § 13409 and 42 U.S.C. § 17938 (2013). See also Acevedo & Rathburn, supra note 15, at *14. 338 42 U.S.C. §§ 1320dâ6(a)(1)-(3) (2013). threshold is set for a violation: a person commits a violation when he or she obtains or discloses indi- vidually identifiable health information main- tained by a covered entity without authorization to do so.339 The penalty for a violation may be up to $50,000 and/or up to 1 year in prison. If a viola- tion is committed under false pretenses, the viola- tor may be fined up to $100,000, receive a prison sentence of up to 5 years, or both. Finally, if a vio- lation is committed with the intent to sell, trans- fer, or use individually identifiable health infor- mation for commercial gain, malicious harm, or personal gain, a person may be fined up to $250,000, sentenced up to 10 years in prison, or both.340 XIII. JUDICIAL CLAIMS FOR HEALTH PRIVACY VIOLATIONS A. Section 1983 Claims for Wrongful Disclosure of Health Information Under 42 U.S.C. § 1983, individuals may bring an action against one who deprives them of a âfed- erally securedâ right.341 There may be a narrow category of claims for which a plaintiff could bring an action against a transit agency under § 1983 for an unauthorized disclosure of a personâs health information.342 As the Second Circuit rec- ognized in Matson v. Board of Education of the City School District of New York,343 âthere exists in the United States Constitution a right to pri- vacy protecting âthe individual interest in avoid- ing disclosure of personal matters (citations omit- ted) (some internal quotation marks omitted).ââ344 There is some medical information that comes 339 42 U.S.C. § 1320dâ6(a) (2103). 340 42 U.S.C. § 1320dâ6(b) (2013). 341 Joshua D.W. Collins, Toothless HIPAA: Searching for a Private Right of Action to Remedy Privacy Rule Violations, 60 VAND. L. REV. 199, 203 (2007), hereinaf- ter referred to as âCollins.â 342 Section 1983 states in part that [e]very person who, under color of any statute, ordinance, regulation, custom, or usage, of any State or Territory or the District of Columbia, subjects, or causes to be subjected, any citizen of the United States or other person within the jurisdic- tion thereof to the deprivation of any rights, privileges, or im- munities secured by the Constitution and laws, shall be liable to the party injured in an action at law. 343 631 F.3d 57 (2d Cir. 2011) 344 Id. at 64.
36 within âthis constitutionally protected sphereâ that is actionable under § 1983.345 In Matson, the Second Circuit discussed medi- cal conditions that are protected by a constitu- tional right of privacy. Matson suffered from a medical condition known as fibromyalgia. Her condition was revealed as a result of her use of sick leave that prompted an investigation. The Board of Education of the City School District of New Yorkâs report of the investigation was publi- cized on the Web site of the Special Commissioner of Investigations for the New York City School District.346 Matson brought a civil rights action under § 1983 for a violation of her constitutional right to privacy. In dismissing her claim, the dis- trict court held that the disclosure of the plain- tiffâs particular medical condition did not give rise to a constitutionally protected right.347 The basis of the decision was that there was no evidence of a history of discrimination against persons with fibromyalgia.348 The Second Circuitâs opinion affirming the dis- trict courtâs dismissal of her claim sets forth what the majority of the panel determined to be the constitutional law of privacy of oneâs health in- formation. The court agreed that the right to pri- vacy includes the right to protect against the dis- closure of oneâs health information,349 but the scope of the right to privacy depends on the na- ture of the condition.350 Based on prior precedents, the court held that to be actionable a personâs medical condition that is disclosed must be one that would expose the subject of the information to âdiscrimination and intolerance.â351 The court found that there were only a few instances in which the court had held that the nature of a medical condition that was disclosed would sub- ject one to discrimination and intolerance: a dis- closure that a person has HIV/AIDs;352 a disclo- sure of a personâs transsexualism;353 and a disclosure of oneâs psychiatric health and sub- 345 In re Search Warrant, 810 F.2d 67, 71 (3d Cir. 1987); see also United States v. Westinghouse Elec. Corp., 638 F. 2d 570, 577 (3d Cir. 1980). 346 Matson, 631 F. 3d at 58. 347 Id. at 62. 348 Id. 349 Id. at 64-65. 350 Id. at 64. 351 Id. 352 Doe v. City of New York, 15 F. 3d 264, 266-67 (2d Cir. 1994). 353 Powell v. Schriver, 175 F. 3d 107, 110-112 (2d Cir. 1999). stance abuse history that may submit one to âpub- lic opprobrium.â354 The court in Matson stated that its decision in OâConnor v. Pierson355 did not announce âa rule that would protect all medical conditions from disclosure.â356 Rather, whether there is an inva- sion of privacy that violates the Constitution must be determined on a case-by-case basis.357 The court held that the disclosure of Matsonâs medical condition did not violate a constitutional right to privacy as the record did not establish a history of âsocietal discriminationâ against and âintoleranceâ of persons suffering from fibromyalgia, nor did the plaintiff show that she had experienced any dis- crimination as a result of the disclosure.358 A dis- senting opinion argued that the courtâs decision âgives the government substantial reign to pub- licly disseminate a personâs medical information without any justification.â359 Although there may be a small category of con- stitutionally protected claims for a violation of a personâs medical privacy under § 1983, existing precedent appears to preclude a § 1983 action for the violation of a constitutionally-protected right of privacy of oneâs health information except un- der the circumstances outlined in the Matson case. As discussed in Matson, other medical condi- tions, although serious, if disclosed without a sub- jectâs consent, such as having Hepatitis C,360 a wrist injury and stomach problems,361 cancer,362 or tuberculosis,363 have been held not to give rise to a constitutional claim under § 1983 for an invasion of health privacy. Thus, the ââprivacy of certain medical conditionsâ has been âconstitutionalizedâ only â[w]ithin narrow parameters.ââ364 Neverthe- less, transit agencies having health information on patrons should exercise appropriate care to maintain the confidentiality of their records. The 354 OâConnor v. Pierson, 426 F.3d 187 (2d Cir. 2005). 355 Id. 356 Matson, 631 F.3d at 65. 357 Id. at 66. 358 Id. at 67. 359 Id. at 69 (Straub, C.J., dissenting op.). 360 Watson v. Wright, 2010 U.S. Dist. LEXIS 586, at *1 (N.D.N.Y. 2010). 361 Rush v. Artuz, 2004 U.S. DIST. LEXIS 15333, at *1 (S.D.N.Y. 2004). 362 Golub v. Enquirer/Star Group, Inc., 89 N.Y.2d 1074, 1077, 681 N.E.2d 1282, 659 N.Y.S.2d 836 (1997). 363 Cruz v. Latin News Impacto Newspaper, 216 A.D.2d 50, 627 N.Y.S.2d 388, 389 (1995). 364 Matson, 631 F.3d at 66 (quoting Powell, 175 F.3d at 112).
37 courts determine on a case-by-case basis whether the disclosure of a particular medical condition comes within the narrow parameters of a consti- tutional right to privacy that is actionable under § 1983.365 As for § 1983 and HIPAA violations, it does not appear that the courts would permit a § 1983 ac- tion against a transit agency on the basis of an alleged violation of HIPAA. Since the Supreme Courtâs decision in Gonzaga University v. Doe,366 the Court has âsignificantly limited a civil rights plaintiffâs ability to bring a private action under § 1983.â367 The Courtâs decision in City of Rancho Palos Verdes v. Abrams âfurther restricted the use of § 1983.â368 Plaintiffs seeking to use § 1983 to redress Pri- vacy Rule violations must allege that HIPAA gives them the right to medical privacy and that the defendant deprived them of this right by dis- closing their private medical information. How- ever, the Supreme Courtâs trend toward limiting the applicability of § 1983 makes it doubtful that a plaintiff could successfully use § 1983 to enforce a violation of HIPAAâs Privacy Rule. The Privacy Rule ostensibly lacks the explicit rights-creating language that the court required in Gonzaga. Ad- ditionally, Abrams poses a barrier to the use of § 1983 to enforce Privacy Rule violations since the administrative remedies set forth by HIPAA ar- guably preclude resort to § 1983.369 For a private corporation performing a gov- ernmental function to be held liable under § 1983 a plaintiff must prove three elements: (1) the presence of a policy-maker who could be held re- sponsible, through actual or constructive knowledge, for enforcing a policy or custom that caused the claimed in- jury; (2) that the corporation has an official custom or pol- icy that could subject it to Section 1983 liability; and (3) that the corporate action was taken with the requisite de- 365 Id. at 66. The Matson court stated: In considering claims that a constitutional right of privacy at- taches to various serious medical conditions, we also proceed on a case-by-case basis. In doing so, we examine all the relevant factors that cut both in favor of and against extending privacy protection to such medical conditions. This type of analysis nec- essarily will include certain medical conditions but will exclude others (emphasis added). Id. at 66â67. 366 536 U.S. 273, 122 S. Ct. 2268, 153 L. Ed.2d 309 (2002). 367 Collins, supra note 341, at 204. 368 Id. at 207. 369 Id. at 208. gree of culpability, with a direct causal link between the action and the deprivation of federal rights.370 However, since the Gonzaga and Abrams deci- sions unless a statute or regulation authorizes a private right of action, patients and other indi- viduals âwhose privacy rights have been violated must look elsewhere for a possible right of ac- tion.â371 As discussed in the next section, there is no private right of action under HIPAA whereby a plaintiff may claim damages against a person or an entity, including a transit agency, for a viola- tion of HIPAA such as for an unauthorized disclo- sure of a plaintiffâs health information. B. No Private Right of Action for a HIPAA Violation Neither HIPAA nor the regulations promul- gated thereunder provide for a private right of action. Thus, HIPAA does not authorize a private right of action by an individual against a covered entity or a business associate for a breach of pri- vacy or security of his or her health information. Only the Secretary of HHS or state attorneys gen- eral may take administrative or judicial action, respectively, to enforce HIPAA.372 There is likewise no implied right of action un- der HIPAA. Although not involving HIPAA, in Alexander v. Sandoval373 the Supreme Court held that regulations promulgated by the Department of Justice pursuant to Title VI of the Civil Rights Act of 1964 did not create an implied private right of action. In similar fashion, HIPAAâs Privacy Rule lacks the sort of âârights-creatingâ language critical to showing the requisite congressional in- tent to create new rights.â374 370 Watkins, 2013 U.S. DIST. LEXIS 66376 at 17-18 (citing Olivas v. Corrections Corp., 408 F. Supp.2d 251, 255 (N.D. Tex. 2006). The court in Watkins also stated that the courts have held also that liability in § 1983 actions may not be based on the doctrine of respondeat superior. Id. at 17. 371 Collins, supra note 334, at 212. 372 42 U.S.C. § 300gg-22 (2013). 373 532 U.S. 275, 290, 293, 121 S. Ct. 1511, 1521- 1522, 1523, 149 L. Ed.2d 517, 531, 532-533 (2001) (stat- ing that congressional inclusion of an express method of enforcing a substantive rule âsuggests that Congress intended to precludeâ other methods and holding that â[N]either as originally enacted nor as later amended does Title VI display an intent to create a freestanding private right of action to enforce regulations promul- gated under § 602â). 374 Collins, supra note 341, at 208 (quoting Gonzaga Univ. v. Doe, 536 U.S. 273, 287 (2002)).