We have another guest post today, from Reed Smith‘s own Erica Yen.  This one is about a recent, interesting decision concerning the interaction between the Health Insurance Portability and Accountability Act (“HIPAA”) and the common law – with a good result this time.  As always, our guest bloggers are 100% responsible for their posts, and Erica deserves all the credit (and any blame) for what follows.

**********

As noted in our post last month, the fact that HIPAA does not provide for a private right of action has not stopped some state courts from allowing negligence claims using HIPAA to define a standard of care. That post discussed the Connecticut Supreme Court’s questionable creation of a new tort of “unauthorized disclosure of confidential medical information” by a healthcare provider.

When the plaintiff in the recent case of Haywood v. Novartis Pharmaceuticals Corp., No. 2:15-CV-373, 2018 WL 437562 (N.D. Ill. Jan. 16, 2018), first filed her complaint in state court, she probably was hoping that the same expansive reasoning used in the Connecticut case would extend to the alleged disclosure by a pharmaceutical company of her private medical information to her employer. In federal court, however, her unusual negligence claims were not allowed to proceed, under HIPAA or otherwise.

In Haywood, the plaintiff had applied for a co-pay assistance program administered by the defendant to help offset the cost of purchasing that defendant’s prescription medications. Id. at *1. Despite an alleged written request that no information be sent to her workplace, the defendant allegedly faxed information that became available to the plaintiff’s co-workers. The information allegedly included her social security number, date of birth, income, Medicare number, disease, treatment, and medical providers. Id. The relevant (amended) complaint alleged negligence and negligent training and supervision in violating duties owed to her under (1) the defendant’s Privacy Notice and Privacy Statement, (2) Indiana state law, and (3) HIPAA. Id. She also claimed punitive damages based on supposed reckless indifference by disclosing the information against her written request not to do so. Id.

The end result? The court held that the defendant drug manufacturer did not owe the plaintiff any duty for the following reasons, and the plaintiff was not entitled to any punitive damages.

First, the court was not persuaded by the plaintiff’s argument that the defendant’s Privacy Notice and Privacy Statement, posted on its website, created a duty of privacy to her as a customer. Id. at *4. The privacy policies posted online concerned dissemination of information to business partners who were prohibited from using customers’ personal data for marketing purposes. Dissemination to plaintiff’s place of employment had nothing to do with third-party marketing. The defendant’s privacy policies did not set forth any obligations with respect to general non-disclosure, and the court found that the plaintiff’s unilateral request not to send information to her workplace could not, by itself, create a legal duty. Id.

Second, the section of the Indiana Code the plaintiff cited, Ind. C. §25-26-13-15(b), failed to create a duty either. While facially applicable to the defendant, as the specific statute applied to “any ‘person’ with patient information,” the court held that as a whole it regulated “Pharmacists, Pharmacies, and Drug Stores.” The defendant was not any of those, nor did the statute purport to regulate the manufacture of pharmaceuticals or the administration of co-payment assistance programs. That the defendant was a “provider of pharmaceuticals” was not enough to bring it within the purview of a statute addressed to other types of entities and conduct. Therefore, no statutory duty could be owed to the plaintiff. Id.

Third, the court dismissed the plaintiff’s attempt to allege a negligence per se theory that the defendant violated HIPAA standards. Id. at *7. Given that HIPAA does not provide for a private right of action and enforcement was intended to be solely under the authority of the Department of Health and Human Services, allowing state law claims that rely on HIPAA would allow plaintiffs to sidestep those enforcement mechanisms. Id. That sounds a lot like how the FDCA works.

Lastly, the court noted that there was no precedent in the jurisdiction to suggest that a pharmaceutical company has a general duty to safeguard an individual’s personal information from disclosure. Id. at *8. The court could have stopped there but went further to explain the reasons why it concluded a duty should not be imposed at common law, after examining (1) the relationship between the parties, (2) the reasonable foreseeability of harm, and (3) public policy concerns:

    • The relationship between a potential customer and co-pay assistance company, as in the case here, was not similar to the relationship between a pharmacist and consumer “mainly because the direct contact, expertise, reliance, and counseling aspects of the relationship are wholly lacking.” Id.

 

  • Given that much of an employee’s personal information was likely already available to his or her employer anyway and was unlikely to cause adverse consequences, the foreseeability of legally actionable harm was minimal. Id. at *8-9.
  • Given the growing amount of sensitive personal information generally being made available to third parties in today’s digital society, even if a pharmaceutical company could theoretically bear the liability from inadvertent disclosures, “[a]ssigning significant moral blame to a pharmaceutical corporation in this situation is disproportionate to the actual acts performed (i.e., negligently disclosing information to an employer during a routine application process) . . . Imposing a duty to safeguard information from all possible disclosures upon any party or entity who happens to be in possession of the personal information of another would expand liability in a way that has the potential to stifle the collection of data and the routine processing of information.” Id. at *9. A Seventh Circuit decision analyzing the Indiana data disclosure statute had found no private right of action against a database owner for negligently disclosing information; rather the database owner only had to disclose the breach to customers and let the state attorney general handle enforcement. Id. (citing Pisciotta v. Old Nat. Bancorp, 499 F.3d 629, 636-637 (7th Cir. 2007)).

Based on this reasoning, and exercising appropriate restraint under the Erie doctrine, Haywood concluded that the plaintiff failed to state any viable claim for negligence, negligent training and supervision, or punitive damages. Notwithstanding the importance of protecting health information, and even assuming the defendant’s handling of the plaintiff’s information was done in error, the court acted reasonably in not opening the gates to the kind of expansive duty and liability the plaintiff sought. The unsatisfied plaintiff filed an appeal to the Seventh Circuit just a few weeks ago. See Case No. 18-1328 (filed February 24, 2018). It would be surprising if the Seventh Circuit did not agree with the district court’s analysis and conclusion.