Will Gentler HIPAA Rules on Telehealth Now Protect Us From Breach Litigation Later?
Patricia Calhoun and Patricia Carreiro, attorneys at Carlton Field
The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) — the government office responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA) — has exercised its enforcement discretion to not impose penalties for noncompliance with certain HIPAA Rules during the COVID-19 emergency. However, this may not deter state regulators and/or private plaintiffs (i.e., patients) from suing telehealth providers if personal health information is breached.
While HIPAA does not provide a private right of action to patients, patients can still allege (among other things) that providers' use of unsecure technology is negligent, a breach of the provider–patient contract, and/or an unfair trade practice. Depending on the provider's representations, patients could even allege fraud. While some claims can be dealt with using an early motion to dismiss, others almost always survive, typically resulting in ...