How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations (2014)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

35 4. In an amount of less than $50,000 for a vio- lation in which it is established that the violation was due to willful neglect and was not corrected during the 30-day period beginning on the first date a covered entity or business associate liable for the penalty knew or by exercising reasonable diligence would have known that a violation had occurred.331 The Secretary is permitted to consider a num- ber of mitigating and aggravating factors in de- termining the amount of a CMP,332 to settle any issue or compromise any penalty,333 and to collect any penalty including by a civil action brought in the appropriate federal district court.334 As of May 31, 2012, the OCR of HHS had in- vestigated and resolved over 16,259 cases with most complaints being filed against private prac- tices, general hospitals, outpatient facilities, health plans, and pharmacies.335 Prior to HITECH, most of the alleged HIPAA violations did not result in an assessment of actual mone- tary damages.336 Even in cases in which penalties are assessed, complainants generally do not re- ceive a portion of the CMPs collected from covered entities or business associates. C. Criminal Penalties It is important to note that although persons such as employees or other individuals who are not covered entities or business associates may not be held liable for CMPs, they are subject to possible criminal penalties under HIPAA.337 Criminal penalties may be imposed for viola- tions of HIPAA when a person knowingly violates HIPAA by obtaining and using a unique health identifier; by obtaining individually identifiable health information relating to an individual; or disclosing IIHI to another person.338 A clear 331 45 C.F.R. § 160.404(b)(2)(iv)(A) (2013). 332 45 C.F.R. § 160.408 (2013). 333 45 C.F.R. § 160.416 (2013). 334 45 C.F.R. § 160.424(b) (2013). See 42 U.S.C. § 1320a-7a(f) (providing for the disposition of CMPs that are recovered). 335 U.S. DEP’T OF HEALTH AND HUMAN SERVICES, HEALTH INFORMATION POLICY, ENFORCEMENT HIGHLIGHTS, available at http://www.hhs.gov/ocr/ privacy/hipaa/enforcement/highlights/index.html. 336 Brill, supra note 323, at 2129 (article published prior to HITECH’s amendments to HIPAA). 337 HITECH § 13409 and 42 U.S.C. § 17938 (2013). See also Acevedo & Rathburn, supra note 15, at *14. 338 42 U.S.C. §§ 1320d–6(a)(1)-(3) (2013). threshold is set for a violation: a person commits a violation when he or she obtains or discloses indi- vidually identifiable health information main- tained by a covered entity without authorization to do so.339 The penalty for a violation may be up to $50,000 and/or up to 1 year in prison. If a viola- tion is committed under false pretenses, the viola- tor may be fined up to $100,000, receive a prison sentence of up to 5 years, or both. Finally, if a vio- lation is committed with the intent to sell, trans- fer, or use individually identifiable health infor- mation for commercial gain, malicious harm, or personal gain, a person may be fined up to $250,000, sentenced up to 10 years in prison, or both.340 XIII. JUDICIAL CLAIMS FOR HEALTH PRIVACY VIOLATIONS A. Section 1983 Claims for Wrongful Disclosure of Health Information Under 42 U.S.C. § 1983, individuals may bring an action against one who deprives them of a “fed- erally secured” right.341 There may be a narrow category of claims for which a plaintiff could bring an action against a transit agency under § 1983 for an unauthorized disclosure of a person’s health information.342 As the Second Circuit rec- ognized in Matson v. Board of Education of the City School District of New York,343 “there exists in the United States Constitution a right to pri- vacy protecting ‘the individual interest in avoid- ing disclosure of personal matters (citations omit- ted) (some internal quotation marks omitted).’”344 There is some medical information that comes 339 42 U.S.C. § 1320d–6(a) (2103). 340 42 U.S.C. § 1320d–6(b) (2013). 341 Joshua D.W. Collins, Toothless HIPAA: Searching for a Private Right of Action to Remedy Privacy Rule Violations, 60 VAND. L. REV. 199, 203 (2007), hereinaf- ter referred to as “Collins.” 342 Section 1983 states in part that [e]very person who, under color of any statute, ordinance, regulation, custom, or usage, of any State or Territory or the District of Columbia, subjects, or causes to be subjected, any citizen of the United States or other person within the jurisdic- tion thereof to the deprivation of any rights, privileges, or im- munities secured by the Constitution and laws, shall be liable to the party injured in an action at law. 343 631 F.3d 57 (2d Cir. 2011) 344 Id. at 64.

36 within “this constitutionally protected sphere” that is actionable under § 1983.345 In Matson, the Second Circuit discussed medi- cal conditions that are protected by a constitu- tional right of privacy. Matson suffered from a medical condition known as fibromyalgia. Her condition was revealed as a result of her use of sick leave that prompted an investigation. The Board of Education of the City School District of New York’s report of the investigation was publi- cized on the Web site of the Special Commissioner of Investigations for the New York City School District.346 Matson brought a civil rights action under § 1983 for a violation of her constitutional right to privacy. In dismissing her claim, the dis- trict court held that the disclosure of the plain- tiff’s particular medical condition did not give rise to a constitutionally protected right.347 The basis of the decision was that there was no evidence of a history of discrimination against persons with fibromyalgia.348 The Second Circuit’s opinion affirming the dis- trict court’s dismissal of her claim sets forth what the majority of the panel determined to be the constitutional law of privacy of one’s health in- formation. The court agreed that the right to pri- vacy includes the right to protect against the dis- closure of one’s health information,349 but the scope of the right to privacy depends on the na- ture of the condition.350 Based on prior precedents, the court held that to be actionable a person’s medical condition that is disclosed must be one that would expose the subject of the information to “discrimination and intolerance.”351 The court found that there were only a few instances in which the court had held that the nature of a medical condition that was disclosed would sub- ject one to discrimination and intolerance: a dis- closure that a person has HIV/AIDs;352 a disclo- sure of a person’s transsexualism;353 and a disclosure of one’s psychiatric health and sub- 345 In re Search Warrant, 810 F.2d 67, 71 (3d Cir. 1987); see also United States v. Westinghouse Elec. Corp., 638 F. 2d 570, 577 (3d Cir. 1980). 346 Matson, 631 F. 3d at 58. 347 Id. at 62. 348 Id. 349 Id. at 64-65. 350 Id. at 64. 351 Id. 352 Doe v. City of New York, 15 F. 3d 264, 266-67 (2d Cir. 1994). 353 Powell v. Schriver, 175 F. 3d 107, 110-112 (2d Cir. 1999). stance abuse history that may submit one to “pub- lic opprobrium.”354 The court in Matson stated that its decision in O’Connor v. Pierson355 did not announce “a rule that would protect all medical conditions from disclosure.”356 Rather, whether there is an inva- sion of privacy that violates the Constitution must be determined on a case-by-case basis.357 The court held that the disclosure of Matson’s medical condition did not violate a constitutional right to privacy as the record did not establish a history of “societal discrimination” against and “intolerance” of persons suffering from fibromyalgia, nor did the plaintiff show that she had experienced any dis- crimination as a result of the disclosure.358 A dis- senting opinion argued that the court’s decision “gives the government substantial reign to pub- licly disseminate a person’s medical information without any justification.”359 Although there may be a small category of con- stitutionally protected claims for a violation of a person’s medical privacy under § 1983, existing precedent appears to preclude a § 1983 action for the violation of a constitutionally-protected right of privacy of one’s health information except un- der the circumstances outlined in the Matson case. As discussed in Matson, other medical condi- tions, although serious, if disclosed without a sub- ject’s consent, such as having Hepatitis C,360 a wrist injury and stomach problems,361 cancer,362 or tuberculosis,363 have been held not to give rise to a constitutional claim under § 1983 for an invasion of health privacy. Thus, the “‘privacy of certain medical conditions’ has been ‘constitutionalized’ only ‘[w]ithin narrow parameters.’”364 Neverthe- less, transit agencies having health information on patrons should exercise appropriate care to maintain the confidentiality of their records. The 354 O’Connor v. Pierson, 426 F.3d 187 (2d Cir. 2005). 355 Id. 356 Matson, 631 F.3d at 65. 357 Id. at 66. 358 Id. at 67. 359 Id. at 69 (Straub, C.J., dissenting op.). 360 Watson v. Wright, 2010 U.S. Dist. LEXIS 586, at *1 (N.D.N.Y. 2010). 361 Rush v. Artuz, 2004 U.S. DIST. LEXIS 15333, at *1 (S.D.N.Y. 2004). 362 Golub v. Enquirer/Star Group, Inc., 89 N.Y.2d 1074, 1077, 681 N.E.2d 1282, 659 N.Y.S.2d 836 (1997). 363 Cruz v. Latin News Impacto Newspaper, 216 A.D.2d 50, 627 N.Y.S.2d 388, 389 (1995). 364 Matson, 631 F.3d at 66 (quoting Powell, 175 F.3d at 112).

37 courts determine on a case-by-case basis whether the disclosure of a particular medical condition comes within the narrow parameters of a consti- tutional right to privacy that is actionable under § 1983.365 As for § 1983 and HIPAA violations, it does not appear that the courts would permit a § 1983 ac- tion against a transit agency on the basis of an alleged violation of HIPAA. Since the Supreme Court’s decision in Gonzaga University v. Doe,366 the Court has “significantly limited a civil rights plaintiff’s ability to bring a private action under § 1983.”367 The Court’s decision in City of Rancho Palos Verdes v. Abrams “further restricted the use of § 1983.”368 Plaintiffs seeking to use § 1983 to redress Pri- vacy Rule violations must allege that HIPAA gives them the right to medical privacy and that the defendant deprived them of this right by dis- closing their private medical information. How- ever, the Supreme Court’s trend toward limiting the applicability of § 1983 makes it doubtful that a plaintiff could successfully use § 1983 to enforce a violation of HIPAA’s Privacy Rule. The Privacy Rule ostensibly lacks the explicit rights-creating language that the court required in Gonzaga. Ad- ditionally, Abrams poses a barrier to the use of § 1983 to enforce Privacy Rule violations since the administrative remedies set forth by HIPAA ar- guably preclude resort to § 1983.369 For a private corporation performing a gov- ernmental function to be held liable under § 1983 a plaintiff must prove three elements: (1) the presence of a policy-maker who could be held re- sponsible, through actual or constructive knowledge, for enforcing a policy or custom that caused the claimed in- jury; (2) that the corporation has an official custom or pol- icy that could subject it to Section 1983 liability; and (3) that the corporate action was taken with the requisite de- 365 Id. at 66. The Matson court stated: In considering claims that a constitutional right of privacy at- taches to various serious medical conditions, we also proceed on a case-by-case basis. In doing so, we examine all the relevant factors that cut both in favor of and against extending privacy protection to such medical conditions. This type of analysis nec- essarily will include certain medical conditions but will exclude others (emphasis added). Id. at 66–67. 366 536 U.S. 273, 122 S. Ct. 2268, 153 L. Ed.2d 309 (2002). 367 Collins, supra note 341, at 204. 368 Id. at 207. 369 Id. at 208. gree of culpability, with a direct causal link between the action and the deprivation of federal rights.370 However, since the Gonzaga and Abrams deci- sions unless a statute or regulation authorizes a private right of action, patients and other indi- viduals “whose privacy rights have been violated must look elsewhere for a possible right of ac- tion.”371 As discussed in the next section, there is no private right of action under HIPAA whereby a plaintiff may claim damages against a person or an entity, including a transit agency, for a viola- tion of HIPAA such as for an unauthorized disclo- sure of a plaintiff’s health information. B. No Private Right of Action for a HIPAA Violation Neither HIPAA nor the regulations promul- gated thereunder provide for a private right of action. Thus, HIPAA does not authorize a private right of action by an individual against a covered entity or a business associate for a breach of pri- vacy or security of his or her health information. Only the Secretary of HHS or state attorneys gen- eral may take administrative or judicial action, respectively, to enforce HIPAA.372 There is likewise no implied right of action un- der HIPAA. Although not involving HIPAA, in Alexander v. Sandoval373 the Supreme Court held that regulations promulgated by the Department of Justice pursuant to Title VI of the Civil Rights Act of 1964 did not create an implied private right of action. In similar fashion, HIPAA’s Privacy Rule lacks the sort of “‘rights-creating’ language critical to showing the requisite congressional in- tent to create new rights.”374 370 Watkins, 2013 U.S. DIST. LEXIS 66376 at 17-18 (citing Olivas v. Corrections Corp., 408 F. Supp.2d 251, 255 (N.D. Tex. 2006). The court in Watkins also stated that the courts have held also that liability in § 1983 actions may not be based on the doctrine of respondeat superior. Id. at 17. 371 Collins, supra note 334, at 212. 372 42 U.S.C. § 300gg-22 (2013). 373 532 U.S. 275, 290, 293, 121 S. Ct. 1511, 1521- 1522, 1523, 149 L. Ed.2d 517, 531, 532-533 (2001) (stat- ing that congressional inclusion of an express method of enforcing a substantive rule “suggests that Congress intended to preclude” other methods and holding that “[N]either as originally enacted nor as later amended does Title VI display an intent to create a freestanding private right of action to enforce regulations promul- gated under § 602”). 374 Collins, supra note 341, at 208 (quoting Gonzaga Univ. v. Doe, 536 U.S. 273, 287 (2002)).