Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
38 In Acara v. Banks375 the United States Court of Appeals for the Fifth Circuit stated: Private rights of action to enforce federal law must be created by Congress. HIPAA has no express provision creating a private cause of action, and therefore we must determine if such is implied within the statute. The judi- cial task is to interpret the statute Congress has passed to determine whether it displays an intent to create not just a private right but also a private remedy. Statutory intent on this latter point is determinative.... HIPAA does not contain any express language conferring privacy rights upon a specific class of individuals (citations omit- ted) (emphasis added).376 Furthermore, HIPAAâs Enforcement Rule pro- viding for administrative complaints, remedies, and CMPs are âa strong indication that Congress intended to preclude private enforcement.â377 Other courts have held as well that there is no implied right of action for private litigants to sue either a covered entity or a business associate for an alleged violation of the HIPAA require- ments.378 However, it has been held that in a tort action brought under state law the HIPAA stan- dards may be evidence of the required standard of care applicable to the protection of health infor- mation.379 Finally, transit agencies having health infor- mation on patrons reported that they have not been sued nor have they been the subject of an 375 470 F.3d 569, 570 (5th Cir. 2006). 376 Id. at 571. 377 Id. 378 Cintron-Garcia v. Supermercados Econo, Inc., 818 F. Supp. 2d 500 (D.P.R. 2011); Quintana v. Lightner, 818 F. Supp. 2d 964 (N.D. Tex. 2011); Carpenter v. Phil- lips, 419 Fed. Appx. 658 (7th Cir. 2011); Bonney v. Stephens Memorial Hosp., 2011 Me. 46, 17 A. 3d 123 (Me. 2011); Seaton v. Mayberg, 610 F. 3d 530 (9th Cir. 2010); Wilkerson v. Shinseki, 606 F. 3d 1256 (10th Cir. 2010); Spencer v. Roche, 755 F. Supp. 2d 250 (D. Mass. 2010); Johnson v. Quander, 370 F. Supp. 2d 79 (D.D.C. 2005); University of Colorado Hospital v. Denver, 340 F. Supp. 2d 1142 (D. Col. 2004) (court rejecting the hospi- talâs contention that the failure to recognize an implied right of action would effectively frustrate the purposes of enacting HIPAA); OâDonnell v. Blue Cross Blue Shield of Wyo., 173 F. Supp. 2d 1176 (D. Wyo. 2001); Brock v. Provident Am. Ins. Co., 144 F. Supp. 2d 652, 657 (N.D. Tex. 2001); Means v. Ind. Life & Accident Ins. Co., 963 F. Supp. 1131, 1135 (M.D. Ala. 1997). 379 See discussion in Section XVII.C.1. See Sorenson v. Barbuto, 2006 UT App. 340, 143 P. 3d 295 (2006) and Acosta v. Byrum, 180 N. C. App. 562, 638 S.E. 2d 246 (2006). administrative proceeding concerning their han- dling of health information on their patrons.380 In sum, there is no private right of action under HIPAA. Any legal action for damages by a patron against a transit agency would have to be brought under another federal privacy law or under state law.381 XIV. COMMENTATORSâ VIEWS OF HIPAA Commentators have divergent views on HIPAAâs efficacy. Some writers are more sanguine than others. One writer argues that the Privacy Rule assures that an individualâs health informa- tion will be protected by HIPAA but permits the release of âhealth information needed to provide and promote high quality health care, and to pro- tect the publicâs health and well-beingâ¦.â382 The writer argues that HIPAA âprovides federal pro- tections for personal health information held by covered entities and gives patients an array of rights with respect to that information;â383 prohib- its those subject to HIPAA from âreleasing to third parties any personal health information that may lead to the identification of an individual without that individualâs express consent;â384 âcre- ates national standards to keep individualsâ medi- cal records and other personal health information confidential;â ârestrictsâ¦the ability of health plans, health care clearinghouses, and most health care providers to divulge patient medical records;â385 and requires a covered entity to pro- vide an individual with notice of a covered entityâs practices âconcerning the uses and disclosures that may be made of such information.â386 HIPAAâs critics, however, argue that HIPAA does not create patient rights or protect the confi- dentiality of patientsâ health information. One argues that HIPAA is âin essence a federal confi- dentiality code based around a regulatory compli- ance modelâ that permits âwidespread sharing of medical data among 800,000 or so health, busi- ness and government entities.â387 Another source 380 Two transit agencies did not respond to the ques- tion. 381 Collins, supra note 341, at 208. 382 Weiss, supra note 265, at 255. 383 Id. 384 Id. at 256â57. 385 Id. at 257. 386 Id. 387 Nicolas P. Terry & Leslie P. Francis, Ensuring the Privacy and Confidentiality of Electronic Health Re-