Skip to Content
Logo
Menu
  • About Our Firm
  • Practice Areas
  • Our People
  • Learning Library
  • Corporate Transparency Act
  • Contact
  • Make A Payment

Illinois Employers Have Bigger Concerns than HIPAA 

Illinois Employers Have Bigger Concerns than HIPAA 

June 30, 2021

Many of our clients are irrationally fearful of HIPAA.  This fear is exacerbated by the fact that some employers collect medical information related to COVID along with vaccination information.  Make no mistake, HIPAA compliance is important.  But the Court of Appeals for the 4th Circuit recently reaffirmed that there is no private right of action against employers for a violation of HIPAA. Payne v. Taslimi, No. 18-7030 (4th Cir. May 27, 2021).  

A Reminder — What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) applies to confidential health information that is in the possession of a covered entity (a healthcare provider, a health plan, certain private employers, etc.) or its business associates. Covered entities in possession of health information are required to take reasonable steps to protect this information. In the event of a breach of HIPAA rules, employers are required to notify those whose information has been disclosed and in certain situations report the breach to the Department of Health and Human Services (“HHS”).

A Violation of HIPAA in Illinois Doesn’t
Mean an Employer Can Be Sued

HIPAA delegates enforcement to the HHS and the State Attorneys General. Employers who breach HIPAA may face certain statutory penalties, but in many states they are not subject to private causes of action for breaches.  This is true in Illinois.

In 2019, the Court of Appeals for the 7th Circuit held HIPAA does not create a private right of action for alleged disclosures of confidential medical information. Stewart v. Parkview Hosp., 940 F.3d 1013, 1016 (7th Cir. 2019). The 7th Circuit’s ruling in Stewart was consistent with rulings from the Second, Fifth, Eighth, Ninth, and Tenth Circuits, all of whom have long held that HIPAA does not confer individual enforcement rights—express or implied.

Holdings like Stewart and Payne protect employers from claims by individual litigants seeking damages for HIPAA violations. In the 7th Circuit, and other likeminded circuits, individuals may not sue under HIPAA, even in cases where there are flagrant or obvious violations that negatively affected them. HIPAA rules are exclusively enforced by the Office of Civil Rights (OCR) within the HHS. The OCR may not impose a fine if the covered entity can demonstrate they did not act with “willful neglect” and corrected the problem within 30 days. 45 CFR 160.410(b).

Employer Takeaways

Employers may still face liability for mishandling of confidential information under the Americans with Disabilities Act, the Genetic Information Nondiscrimination Act, or certain state laws creating private causes of action in tort or negligence. Our initial advice is not to collect medical information in the first place.

If there is one statute that should strike fear in the hearts of Illinois employers it is BIPA not HIPAA.   Under the Illinois Biometric Information Privacy Act (“BIPA”),  individuals may take legal action against private entities even where the violation has not resulted in actual harm (For more information on BIPA read here).  The larger concern under BIPA is class action lawsuits.

The next time you hear talk of HIPAA liability thrown around casually, take heart.  The concerns are probably overstated.  But be aware that BIPA is out there too, and Illinois employers are a target for BIPA litigation from plaintiff’s lawyers across the United States.

Related Attorneys

Clingen Callow & McLean, LLC
Lisle Office
2300 Cabot Drive, Suite 500
Lisle, Illinois, 60532
Phone 630.871.2600
Geneva Office
21 North 4th Street
Geneva, Illinois, 60134
Phone 630.938.4769
Fax 630.871.9869
General Inquires [email protected]
  • facebook
  • linkedin

Contact Us

©2025 Clingen Callow & McLean, LLC. All rights reserved.

Law Firm Web Design by NMC

Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}