Illinois Employers Have Bigger Concerns than HIPAA
Many of our clients are irrationally fearful of HIPAA. This fear is exacerbated by the fact that some employers collect medical information related to COVID along with vaccination information. Make no mistake, HIPAA compliance is important. But the Court of Appeals for the 4th Circuit recently reaffirmed that there is no private right of action against employers for a violation of HIPAA. Payne v. Taslimi, No. 18-7030 (4th Cir. May 27, 2021).
A Reminder — What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) applies to confidential health information that is in the possession of a covered entity (a healthcare provider, a health plan, certain private employers, etc.) or its business associates. Covered entities in possession of health information are required to take reasonable steps to protect this information. In the event of a breach of HIPAA rules, employers are required to notify those whose information has been disclosed and in certain situations report the breach to the Department of Health and Human Services (“HHS”).
A Violation of HIPAA in Illinois Doesn’t
Mean an Employer Can Be Sued
HIPAA delegates enforcement to the HHS and the State Attorneys General. Employers who breach HIPAA may face certain statutory penalties, but in many states they are not subject to private causes of action for breaches. This is true in Illinois.
In 2019, the Court of Appeals for the 7th Circuit held HIPAA does not create a private right of action for alleged disclosures of confidential medical information. Stewart v. Parkview Hosp., 940 F.3d 1013, 1016 (7th Cir. 2019). The 7th Circuit’s ruling in Stewart was consistent with rulings from the Second, Fifth, Eighth, Ninth, and Tenth Circuits, all of whom have long held that HIPAA does not confer individual enforcement rights—express or implied.
Holdings like Stewart and Payne protect employers from claims by individual litigants seeking damages for HIPAA violations. In the 7th Circuit, and other likeminded circuits, individuals may not sue under HIPAA, even in cases where there are flagrant or obvious violations that negatively affected them. HIPAA rules are exclusively enforced by the Office of Civil Rights (OCR) within the HHS. The OCR may not impose a fine if the covered entity can demonstrate they did not act with “willful neglect” and corrected the problem within 30 days. 45 CFR 160.410(b).
Employers may still face liability for mishandling of confidential information under the Americans with Disabilities Act, the Genetic Information Nondiscrimination Act, or certain state laws creating private causes of action in tort or negligence. Our initial advice is not to collect medical information in the first place.
If there is one statute that should strike fear in the hearts of Illinois employers it is BIPA not HIPAA. Under the Illinois Biometric Information Privacy Act (“BIPA”), individuals may take legal action against private entities even where the violation has not resulted in actual harm (For more information on BIPA read here). The larger concern under BIPA is class action lawsuits.
The next time you hear talk of HIPAA liability thrown around casually, take heart. The concerns are probably overstated. But be aware that BIPA is out there too, and Illinois employers are a target for BIPA litigation from plaintiff’s lawyers across the United States.