Lack of Statutory Private Right of Action is No Bar to Privacy Suit
HIPAA and several other privacy laws do not include a private right of action. This is cold comfort for healthcare providers, health plans and other members of the healthcare industry if a patient is able to demonstrate that the statutory violation caused actual harm. In an opinion filed on Nov. 9, 2018, Florida's Fifth District Court of Appeal held that a patient could bring a claim for breach of fiduciary duty and negligence relating to a physician's disclosure of medical records. Leblanc v. Acevedo involves a former Florida Department of Corrections (DOC) employee, Daniel LeBlanc, who sought treatment from Dr. Yuliya Acevedo for high blood pressure. Dr. Acevedo recommended that he take time off from work and also see a psychiatrist. On his second visit, the doctor concluded that his blood pressure was stable and he could return to work, but Mr. LeBlanc refused to resume his duties.
His employer then sent a questionnaire to the doctor asking about Mr. LeBlanc's ability to resume his duties. Without requesting or receiving the patient's authorization, the doctor returned the questionnaire to the employer, along with portions of the medical record, and noted that Mr. LeBlanc needed a psychiatric evaluation prior to returning to work. DOC then required Mr. LeBlanc to undergo a fitness for duty evaluation by a psychiatrist, who determined that he was unfit to return to work, and DOC terminated his employment.
When Mr. LeBlanc appealed his termination with the Public Employees Relation Commission (PERC), he learned that his doctor had provided his medical information to DOC without his authorization. PERC found that Mr. LeBlanc's termination had been appropriate, and he then brought a claim against his physician and her office for breach of fiduciary duty and negligence.
The lower court held that Mr. LeBlanc could not bring a claim for breach of fiduciary duty and that he did not demonstrate that Dr. Acevedo's negligence was the cause of his injury. The lower court found that Mr. LeBlanc could not bring a claim under the Florida law governing privacy of physician records, Section 456.057, Florida Statutes, which does not include a private right of action. The appellate court noted that the patient's claim was brought as a common law tort and was not based on that statute. The court stated that "[b]ecause the violation of a statutorily-imposed duty of confidentiality is actionable under the common law, the trial court erred when it held that Mr. LeBlanc could not bring a claim for breach of fiduciary duty based on Dr. Acevedo's unauthorized disclosure of Mr. LeBlanc's medical records." The court also held that the negligence count and the question of whether the doctor's negligence was the proximate cause of Mr. LeBlanc's injury was a question for the jury.
Healthcare providers, health plans and other individuals and entities that have statutory requirements to keep data private and secure should not take compliance for granted based on the fact that most of these laws contain no private right of action. If a plaintiff can show injury that resulted from a statutory violation, it could lead to financial liability.