More Coverage, More Problems: No Private Remedies for Kentuckians Hurt by HIPAA Violations After Adoption of the Affordable Care Act

Note | 103 KY. L. J. ONLINE 7 | Aug. 7, 2015

Chelsea N. Hayes[1]

Introduction

Kentucky is leading the way in America’s first state-based exchange to implement the Affordable Care Act (hereinafter “ACA”).[2] While this presumably will assist the one in six Kentuckians who are uninsured,[3] doctors and medical facilities may mistakenly disclose private documents with the high influx of new patients. Therefore, Kentucky citizens may question how to resolve violations of privacy mandated by the Health Insurance Portability and Accountability Act (hereinafter “HIPAA”).[4]

HIPAA does not create a state-based private cause of action for violations of its privacy provisions.[5] Kentucky also has no state statute or common law right allowing state private causes of action for HIPAA violations.[6] While Kentucky has legislated a statute allowing private causes of action for other state statute violations, this right does not extend to federal statutes (e.g. HIPAA), regulations, or local ordinances.[7] Because HIPAA does not provide a plaintiff a federal private cause of action,[8] Kentucky refuses to infer a right where Congress has not.[9] Currently, the only way a person may pursue HIPAA violations is by filing a complaint with the Federal Office of Civil Rights (hereinafter “OCR”),[10] yet the individual receives no personal compensation.

This note will first explore the interplay between the ACA and HIPAA in Section I, elaborating on Kentucky’s adoption of the ACA and expansion of its medical landscape. Section II explains existing precedent regarding state remedies for HIPAA violations and emphasizes aggrieved Kentuckians’ lack of recovery. Section III illuminates how Kentucky’s medical landscape is not unique from other states’, which allow state based causes of action. As a result, Kentucky should enact a statutory private cause of action to develop its medical landscape alongside the expansion of healthcare similar to West Virginia’s legislative scheme.

I. Background: Interaction between The Affordable Care Act and HIPAA

The implementation of the ACA allows millions of Americans the opportunity to receive affordable healthcare. Kentucky quickly adopted the ACA on a state level to provide statewide coverage and accessibility to Kentuckians.[11] As the number of individuals accessing healthcare increases, providers may become overwhelmed, and some protected health information may be unintentionally disclosed to the public. HIPAA governs these disclosures via regulations, violations, fines, and incarcerations,[12] incentivizing doctors and other health professionals to proceed carefully and diligently with the influx of patients. HIPAA alone, however, is insufficient to adequately address privacy because enforcement wavers at best, and individuals cannot receive adequate compensation because no federal private cause of action exists.

A. The Affordable Care Act

The ACA, enacted in 2010, employed a patient’s “Bill of Rights,” allowing “the American people the stability and flexibility [needed] to make informed decisions about their health.”[13] As of January 1, 2014, an estimated 14 million Americans will gain health insurance coverage via the Medicaid expansion or individual and/or small business tax reimbursements to lower healthcare costs via the federal and participating state exchanges.[14]

These implementations provide individuals minimum health coverage that was once too costly to afford. More particularly, the Medicaid expansion[15] allows more vulnerable individuals 65 years or younger with an annual income below 133 percent of the federal poverty line to gain coverage despite pre-existing conditions or the inability to pay.[16] This means great benefits for the 7.8 million rural Americans who the United States Department of Health and Human Services (hereinafter “HHS”) predicts gained access to medical coverage under the ACA expansion.[17] Kentuckians are among these Americans who will benefit greatly.

B. Kentucky’s Adoption of the ACA

In 2013, 640,000 Kentuckians were uninsured, entailing approximately 15 percent of the state’s population.[18] Prompted by the ACA, Kentucky created Kynect, its state healthcare exchange.[19] According to the Washington Post, “56,422 [Kentuckians] have signed up for new health-care coverage, with 45,622 of them enrolled in Medicaid and the rest in private health plans, according to figures released by the governor’s office . . . .”[20]

Of the estimated 640,000 Kentuckians covered, 308,000 could become insured after expansion of the Medicaid eligibility guidelines in accordance with the ACA.[21] This number forecasts that many Kentuckians can seek once unobtainable medical care for untreated conditions stemming from smoking, cancer, preventable hospitalizations, heart disease, etc.[22]

When Kentucky welcomed the ACA, however, officials may not have anticipated increasing HIPAA violations. Healthcare reform has allowed Kentuckians to seek healthcare with lower financial cost, but a potentially more significant one: possible loss of personal privacy with no compensation. According to the HHS, “[a]s of December 31, 2013, [the Office of Civil Rights] had 258 open complaints and compliance reviews” for HIPAA violations.[23] While this is a national statistic, one can only imagine the increase in complaints upon adoption of the ACA within Kentucky. Each of the 258 disclosures represents a person, who if he or she lived in Kentucky, would have no private cause of action to recover despite federal legislation.

C. HIPAA Governs Personal Health Information Leaks

Congress enacted HIPAA on August 21, 1996.[24] HIPAA’s main purpose is to encourage uniform standards and requirements for storing protected health information (hereinafter “PHI”) and to reduce clerical burdens on all involved parties.[25] Accordingly, those who maintain PHIs adopt “administrative, technical, and physical safeguards . . . to ensure the integrity and confidentiality of the information, to protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized uses or disclosures of the information, and otherwise to ensure compliance with this part by the officers and employees of such person.”[26]

HIPAA forms are the norm in all offices handling PHI because legislation covers health care providers, health care clearing houses, and health plans (all considered “covered entities”).[27] In 2009, the Health Information Technology for Economic and Clinical Health Act[28] (hereinafter “HITECH”) required modification and strengthening of the HIPAA’s rules by mandating the inclusion of business associates[29] in conjunction with covered entities. HITECH also added levels of culpability for PHI violations.[30]

A covered entity breaches HIPAA when it discloses PHI without permission or for an inappropriate purpose.[31] This violation does not have to be intentional, but instead may be inadvertent.[32] In order to seek redress for a suspected HIPPA violation, an individual must file a complaint with the Secretary of the HHS.[33] The OCR, a subdivision under the HHS, manages and investigates violation complaints or suspicion of HIPAA violations.[34] After a covered entity violates HIPAA, the OCR allows a time frame in which the covered entity may take a “satisfactory” action to correct the breach and mitigate the damages.[35] If corrective action is taken, the OCR will simply fine the covered entity via civil penalties,[36] and if the violation is criminal in nature, the OCR may instruct the Department of Justice to investigate.[37]

When civil monetary damages are sought for HIPAA violations, complainants or aggrieved persons themselves do not receive money compensation.[38] Instead, recoveries are deposited into the U.S. Treasury to further assist HIPAA investigations.[39] The aggrieved person merely receives notifications regarding the resolution of the violations.[40] While HIPAA clearly defines what constitutes a violation, the Act omits any express private cause of action for individuals to seek compensation for the dissemination of their PHI.[41] Consequently, complainants are merely left with filing a complaint to the OCR, with few states providing additional redress.[42]

II. Case Law: Few State Causes of Action for HIPAA Violations

HIPAA violations have increased throughout the years, but aggrieved persons are left with no federal remedies because HIPAA does not generate a private cause of action.[43] Some states, however, allow recovery in state court via common law tort claims and/or statutory recoveries.[44] States such as West Virginia recognize both, whereas Kentucky recognizes neither.[45]

A. Aggrieved Persons Harmed by HIPAA Violations Cannot Recover in Federal Court

The Supreme Court iterated in 1979 that despite a person violating a federal statute and harming another individual, a violation does not automatically prompt a private cause of action.[46] As a result, harmed persons do not individually benefit from HIPAA protections.[47] In fact, the Supreme Court in 2001 stated that HIPAA will never provide a cause of action for wronged individuals unless amended with the intent to establish that right.[48] This results in summary judgment for the defendant covered entity,[49] and the OCR provides the singular remedy.[50]

B. States Allowing HIPAA Violations to Establish the Standard of Care in Tort Claims

Recently few states have allowed HIPAA guidelines to provide the standard of care for common law claims in state court litigation. In these jurisdictions, HIPAA rules supply the baseline for what a medical professional should do regarding privacy and security of PHI in negligence claims. This allows plaintiffs to claim that the covered entity was negligent according to the statutory regulations of HIPAA without need for expert testimony, establishing negligence per se.[51] A negligence per se claim statutorily establishes the standard of care[52] and permits aggrieved individuals to recover tort damages where no compensatory remedy is available through the OCR.[53] Additionally, this method allows plaintiffs to stand in court without immediately granting the defendant summary judgment.[54] The small number of state cases, indicates that this recovery has not yet picked up steam, but serves as a reminder that states surrounding Kentucky have implemented repercussions for breaches of HIPAA whether through negligence per se or other common law torts.[55]

C. State Statutory Recoveries for HIPAA Violations

Apart from common law tort claims, fourteen states have created a statutory cause of action for HIPAA violations.[56] For example, West Virginia is a model state to explore the effect of both common law and statutory recoveries for HIPAA violations,[57] and will provide the exemplars for this discussion.[58] The West Virginia statute was enacted in 1983,[59] and the state’s highest court further elaborated on this statute by reaffirming a patient’s ongoing right to sue over a HIPAA violation because both a well-recognized common law and statutory right existed under state law.[60] As a result, these states[61] protect privacy by allowing individuals a private cause of action as long as the statute mandates more privacy provisions than HIPAA to avoid federal preemption issues. HIPAA contains a preemption provision mandating that HIPAA supersede any contrary provision of state law.[62] Some courts have grappled with the idea of HIPAA preemption if the states were to create common law or statutory causes of action.

West Virginia’s highest court has led the way in litigation and explanation of HIPAA preemption, iterating that HIPPA does not preempt state statutory causes of action for the wrongful disclosure of PHI.[63] In order for HIPAA to preempt any state statute, the state law must be contrary to HIPAA.[64] A law is not contrary if the state law is more stringent than a HIPAA standard, requirement, or implementation.[65] In R.K. v. St. Mary’s Medical Center, Inc., the West Virginia court held “such state-law claims compliment [sic] HIPAA by enhancing the penalties for its violation and thereby encouraging HIPAA compliance.”[66] The plaintiff, R.K., filed state law claims after disclosing otherwise-undisclosed personal information to hospital employees in order to seek treatment.[67] While hospitalized, hospital employees accessed R.K.’s record without permission and relayed PHI to his estranged wife and her divorce lawyer.[68] R.K. initiated state law claims including, but not limited to, breach of confidentiality and invasion of privacy.[69]

While the circuit court stated HIPAA preempted these claims, [70] the higher court disagreed, analyzing Yath v. Fairview Clinics, N.P.,[71] involving a state statutory cause of action. Here, the defendant’s clinic tested the plaintiff, Yath, for a sexually-transmitted disease.[72] A clinic assistant accessed his records and disclosed the information to Yath’s husband. Yath sued for wrongful disclosure of medical information in violation of the Minnesota statute by improperly releasing PHI.[73] While lower courts determined HIPAA preempted the state statute, the Minnesota Court of Appeals held that the statute was not preempted because it is not “contrary” to HIPAA.[74] The defendants could comply with both HIPAA and the statute since both laws are “complementary,” not “contradictory” as the laws obtained the same goal of safeguarding patient PHI.[75] The West Virginia Supreme Court of Appeals elaborates that though the remedies in Minnesota Statute § 144.335 and HIPAA are not identical, [76] the differences are merely functional. [77] Both statutes primarily prohibit mishandling of PHI, but HIPAA focuses on criminal liability and civil fines while § 144.335 permits compensatory damages. As such, states like West Virginia allow HIPAA to establish the privacy protection floor, and states may enforce more stringent laws without preemption.

As a result, states like West Virginia approve both complementary statutory and common law claims for HIPAA breaches. At the end of the day, however, each individual state must make this decision. “Raising up causes of action where a statute has not created them may be a proper function for common-law courts, but not for federal tribunals.”[78]

D. Kentucky Does Not Recognize a State Common Law or Statutory Cause of Action for HIPAA Violations

Kentucky has yet to recognize any common law private cause of action for HIPAA violations using HIPAA regulations as the standard of care.[79] Alternatively, Kentucky appears to statutorily provide recovery for individuals injured by violations of any statute via KRS § 446.070.[80] This statute allows an aggrieved party to recover for a violation of another statute if that particular statute provides no civil remedy, and the aggrieved person is within the class of persons the statute is meant to protect.[81]

In Yeager v. Dickerson, the court addresses whether the plaintiff has a cause of action via KRS § 446.070 against her attorneys for disclosure of medical information.[82] Yeager, executrix of her daughter’s estate, alleged a violation of HIPAA when her daughter died from a drug overdose after release of her PHI at her child’s custody hearing.[83] Because Congress has not expressly intended a private right under HIPAA, the Kentucky Court of Appeals held that KRS § 446.070 does not confer a private civil remedy for such violations.[84] According to the court, the “any statute” language appearing in KRS § 446.070 is limited to state statutes only and exempts federal statutes in which Congress has not intended a remedy to be conferred.[85] The court further stated that even if the General Assembly had intended a right under the state statute where Congress had not, HIPAA would preempt Kentucky state law.[86] The court also has not recognized any common law tort claims for plaintiffs since the claims are grounded in HIPPA.[87] This leaves Kentuckians wondering what rights they can exercise after a HIPAA violation occurs.

III. Solution: Kentucky Should Implement a State Statutory Cause of Action for HIPAA Violations

As it exists, Kentucky provides no private cause of action through KRS § 446.070 for persons harmed by PHI disclosure.[88] This legislative void can only be fully remedied by the Kentucky Legislature enacting a statute specifically allowing a private cause of action for HIPAA violations. For guidance, Kentucky should look to neighboring states, particularly West Virginia, due to similarities between the two states’ medical landscapes. Although Kentucky is more populous and has had different jurisprudence on the subject than West Virginia, these should not stand in the way of Kentucky’s recognition of privacy rights.

A. Proposed Legislation for Recovery under a Kentucky State Statute

Private litigation on a federal scale might overwhelm the effectiveness of HIPAA, but other states have taken charge of regulating medical privacy. In fact, prior to HIPAA, states were the primary regulators of privacy concerns via the common law, statutes, and regulations.[89] The Yeager Court rationalized correctly that even if a private right of action existed, it would be preempted.[90] This is accurate because HIPAA establishes the floor for privacy protection and Kentucky has not yet expanded it further.[91] To circumvent preemption and better protect Kentuckians, legislators must be willing to enact “strong health privacy laws”[92] to redress those harmed.

Even after HIPAA’s adoption, HHS explained, “[w]e believed then, and still believe, that there is an urgent need for legislation to establish comprehensive privacy standards for all those who pay and provide for health care, and those who receive information from them.”[93] This concept illuminates the idea that all fifty states should enact legislation to heighten privacy laws to better protect citizens rather than wholly relying on HIPAA to restore justice to aggrieved plaintiffs.[94]

This is an alarming problem after the ACA because persons may already distrust the healthcare system due to previously limited access.[95] By enacting a state statutory provision in which KRS § 446.070 will allow recovery, rural Kentuckians may be more apt to trust and seek out healthcare they once could not afford. These persons must not live in fear of Kentucky forgoing individual privacy protection because redress is unavailable.

While Kentucky courts have rebuked a private cause of action,[96] implementing a state statute would allow the courts to analyze it as a matter of first impression and partake in shaping the common law associated with the statute. Kentucky can look to West Virginia, its neighbor, for guidance since West Virginia implemented higher safeguards to protect its residents.[97] Little case law exists in Kentucky and West Virginia regarding state rights of action for HIPAA violations. However, in the available case law, Kentucky and West Virginia rationalize the subject comparably.[98] In fact, the only difference between the two states is solely the existing precedent, as the two states have strikingly similar medical landscapes. Precedent is the only barrier that stands between Kentucky and a state private cause of action—a barrier that the ACA will inevitably break down.

B. Comparison: The Kentucky and West Virginia Courts Rationalize Similarly

In Kentucky, Yeager held that the state statute regarding privacy for health care recipients did not confer a private right of action for HIPAA violations.[99] Authority in neighboring West Virginia from the Supreme Court of Appeals, however, is contrary to the Kentucky holding.[100] The courts’ rationale is quite similar, but the respective precedent is distinctive: West Virginia reaffirmed a patient’s ongoing right to sue where Kentucky has not yet initially recognized a patient’s right to sue.

First, both courts recognize that HIPAA does not create a federal private right of action for aggrieved persons.[101] Second, neither Kentucky nor West Virginia specifically held that HIPAA preempts a state from recognizing a cause of action for disclosure of PHI.[102] Instead, the courts address whether HIPAA preempts particular statutes. As discussed in West Virginia, HIPAA would preempt state law, including statutory and common law, only if the state law would disallow compliance with both state and federal requirements or if the state law is contrary[103] and stands as an obstacle to HIPAA’s execution.[104]

If the courts have already rationalized similarly, Kentucky should consider consulting other jurisdictions in at least allowing a statutory right of recovery in combination with KRS § 446.070 for aggrieved individuals. Preemption would also not be an obstacle, despite Kentucky courts’ rationale, because it is entirely possible for both the OCR to enforce HIPAA through civil and criminal fines and Kentucky to recognize a private cause of action focusing on individual recovery. Both proceedings could occur autonomously without affecting the other. Further, a state right of action would complement HIPAA’s floor by assisting and strengthening incentives to protect PHI with the expansion of the ACA.

As one court stated, “[i]t is, to say the least, difficult to believe that Congress would, without comment, remove all means of judicial recourse for those injured by illegal conduct.”[105] While Kentucky has already taken strides to protect its own residents through adoption of the first state-based exchange for the ACA, it has fallen behind West Virginia and other states that have recognized a common law cause of action and others with statutory causes of action due to the toothless fear of preemption and outdated precedent in the time of the ACA.

C. Comparison: Kentucky and West Virginia have Comparable Medical Landscapes

Similar medical landscapes are important when advocating for one state government to adopt another’s remedies. This section statistically compares West Virginia and Kentucky to illustrate few differences exist between them. Kentucky conclusively has more uninsured individuals and more Medicaid recipients yet has no state cause of action like West Virginia. These statistics support Kentucky adopting West Virginia’s approach to redressing breaches.

The implementation of the ACA has the potential to extend coverage to as many as 285,931 uninsured West Virginians.[106] West Virginia’s estimated 2013 population was 1,854,304, with 714,605 of those individuals living in rural areas.[107] Through the ACA Marketplace, 42% of adults (about 112,000) and 11% of children (roughly 30,000) will receive Medicaid, 23% of individuals will be eligible for tax credits (62,000), and 23% may gain coverage without financial assistance.[108] Of those uninsured individuals eligible for coverage, 259,000 (91%) are White, 16,461 (6%) are African-American, 2,850 (1%) are Latino or Hispanic, and 1,208 (0.4%) are Asian American or Pacific Islander.[109] At least 799,000 non-elderly individuals, including 91,098 children, have pre-existing health conditions who may now receive healthcare because of the ACA.[110]

In comparison, Kentucky, with 647,000 uninsured, was the first state to adopt a state-based exchange for the ACA.[111] As of 2013, Kentucky had an estimated population of 4,395,295, of which 1,837,294 living in rural areas.[112] Through the ACA Marketplace, 45% of adults (about 291,000) and 9% of children (roughly 59,000) will receive Medicaid, 22% of individuals will be eligible for tax credits (145,000), and 24% may gain coverage without financial assistance.[113] Of those uninsured individuals eligible for coverage, 513,688 (83%) are White, 77,280 (12%) are African American, 18,272 (3%) are Latino or Hispanic, and 4,158 (1%) are Asian American or Pacific Islander.[114] At least 1,894,874 non-elderly Kentuckians, including 241,403 children, have pre-existing conditions.[115]

The above statistics illuminate that Kentucky has more individuals, more uninsured, and a greater number of Medicaid expansion recipients than West Virginia. Both have high rural populations where poverty can be a perpetual cycle and healthcare a commodity. The majority of uninsured are Caucasian, suggesting this is not a racial discrepancy, but rather a rampant, non-discriminatory issue. This prompts the question why Kentucky has not led the way in protecting Kentuckians from privacy violations like its very similar neighbor, West Virginia? After West Virginia’s adoption of both a common law and statutory cause of action protecting its citizens, Kentucky has few arguments for first implementing the ACA yet refusing to fully protect Kentuckians from HIPAA violations that may increase due to the state’s adoption of the ACA.

IV. Conclusion

While Kentucky is an advocate for providing healthcare via the ACA, Kentucky continues to ignore each person’s individual privacy rights within the medical sphere by providing no redress to Kentuckians hurt by PHI disclosures. As a result, Kentucky lacks the self-interest to fully protect its citizens because citizens desire redress when Kentucky recognizes no right. Neighboring state courts have begun utilizing HIPAA as evidence of the standard of care for other common law torts while others allow statutory causes of actions for HIPAA violations. Kentucky offers neither. This note advocates for Kentucky to implement legislation to strengthen HIPAA regulations by allowing a state private cause of action for Kentuckians hurt or affected by PHI disclosures. Kentucky should look to other states with private causes of action, such as West Virginia, for guidance. This private cause of action will more uniformly protect and guarantee Kentuckians’ privacy via state redress.


[1] J.D., May 2015, University of Kentucky College of Law.

[2] See Mary Branham, State Success & Federal Missteps, The Council of State Governments, http://www.csg.org/pubs/capitolideas/2014_jan_feb/healthcareexchanges.aspx (last visited Jan. 19, 2014). For information regarding the exchange, see Patient Protection and Affordable Care Act (ACA), Pub. L. No. 111-148, 124 Stat. 119 (2010).

[3] Steve Beshear, My State Needs ObamaCare. Now., Ny Times (Sept. 26, 2013), http://www.nytimes.com/2013/09/27/opinion/my-state-needs-obamacare-now.html.

[4] Health Insurance Portability and Accountability Act (HIPAA), Pub. L. No. 104-191, 110 Stat. 1936 (codified as scattered sections of 18, 26, 29, 42 U.S.C. (2000)).

[5] McMillen v. Ky. Dep’t. of Corr., 233 S.W.3d 203, 205 (Ky. Ct. App. 2007).

[6] Young v. Carran, 289 S.W.3d 586, 589 (Ky. Ct. App. 2008) (articulating Kentucky’s lack of common law or statutory private cause of action for HIPAA violations).

[7] See Ky. Rev. Stat. Ann. § 446.070 (2013); T & M Jewelry, Inc. v. Hicks ex rel. Hicks, 189 S.W.3d 526, 530 (Ky. 2006); Alderman v. Bradley, 957 S.W.2d 264, 266-67 (Ky. 1997); Yeager v. Dickerson, 391 S.W.3d 388, 393 (Ky. Ct. App. 2013).

[8] See Alexander v. Sandoval, 532 U.S. 275, 275 (2001) (holding that there is no private right of action to enforce disparate-impact regulations promulgated under Title VI of Civil Rights Act of 1964.”); Acara v. Banks, 470 F.3d 569, 571 (5th Cir. 2006) (holding no private cause of action for disclosure of PHI during a deposition); Johnson v. Quander, 370 F. Supp. 2d 79, 100 (D.D.C. 2005) (holding that a convicted robber had no private cause of action under HIPAA when challenging the DNA Act because the Secretary of HHS only had that right); Univ. of Colo. Hosp. v. Denver Pub. Co., 340 F. Supp. 2d 1142, 1145 (D. Colo. 2004) (finding no HIPAA private cause of action because the statute created enforcement means for aggrieved persons); O’Donnell v. Blue Cross Blue Shield of Wyo., 173 F. Supp. 2d 1176, 1179-80 (D. Wyo. 2001) (holding no express or implied private cause of action exists in HIPAA).

[9] Yeager, 391 S.W.3d at 394.

[10] Bob Herman, HIPAA May Form Basis for State Law Private Cause of Action, Becker’s Hosp. Review (June 24, 2011), http://www.beckershospitalreview.com/healthcare-information-technology/hipaa-may-form-basis-for-state-law-private-cause-of-action.html.

[11] Beshear, supra note 2.

[12] See supra notes 18-23 and accompanying text.

[13] About the Law, U.S. Dep’t of Health and Human Serv., http://www.hhs.gov/healthcare/rights/ (last visited Jan. 20, 2014).

[14] Individual Health Insurance Coverage, AHIP Coverage (Oct. 12, 2010), http://www.ahipcoverage.com/2010/10/12/individual-health-insurance-coverage/; Small Business Health Care Tax Credit for Small Employers, IRS (Dec. 19, 2013), http://www.irs.gov/uac/Small-Business-Health-Care-Tax-Credit-for-Small-Employers.

[15] While tax reimbursement participants will also comprise a large number of individuals the ACA will help, this paper will primarily focus on Medicaid recipients as this individuals are most likely gaining access for the first time.

[16] Nat’l Fed’n of Indep. Bus. v. Sebelius, 132 S. Ct. 2566, 2575, (2012); Key Features of the Affordable Care Act by Year, U.S. Dep’t of Health and Human Serv., http://www.hhs.gov/healthcare/facts/timeline/timeline-text.html (last visited Jan. 20, 2014).

[17] See The Affordable Care Act-What It Means in Rural America, U.S. Dep’t of Health and Human Serv., http://www.hhs.gov/healthcare/facts/factsheets/2013/09/rural09202013.html (last visited Jan. 20, 2014).

[18] A Healthier Kentucky: Health Insurance Coverage for Every Kentuckian, Governor of Kentucky Steve Beshear, http://governor.ky.gov/healthierky/Pages/default.aspx (last visited Jan. 20, 2014) [hereinafter A Healthier Kentucky].

[19] Id.

[20] Stephanie McCrummen, In Rural Kentucky, Health-Care Debate Takes Back Seat as the Long-Uninsured Line Up, The Washington Post, (Nov. 23, 2013), http://www.washingtonpost.com/national/in-rural-kentucky-health-care-debate-takes-back-seat-as-people-sign-up-for-insurance/2013/11/23/449dc6e0-5465-11e3-9e2c-e1d01116fd98_story.html. Furthermore, as of March 20, 2014, 321,932 Kentuckians had enrolled through Kynect and 257,477 of these individuals qualified under the Medicaid expansion. More than 321,000 Now Enrolled Through Kynect as March 31 Deadline Approaches, Kentucky.gov (Mar. 21, 2014), http://kentucky.gov/Pages/Activity-Stream.aspx?viewMode=ViewDetailInNewPage&eventID={836DB829-13DE-4631-974A-0FA5B3BFF739}&activityType=PressRelease.

[21] Beshear, supra note 2.

[22] Id. (“[Kentucky] ranks among the worst, if not the worst, in almost every major health category, including smoking, cancer deaths, preventable hospitalizations, premature death, heart disease and diabetes.”).

[23] Enforcement Highlights, U.S. Dep’t of Health and Human Serv. (Dec. 31, 2013), http://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/12312013.html.

[24] HIPAA, Pub. L. No. 104-191, 110 Stat. 1936 (codified as scattered sections of 18, 26, 29, 42 U.S.C. (2000)).

[25] See id. § 261.

[26] 42 U.S.C. § 1320d-2(d)(2)(A-C) (2014).

[27] See 45 C.F.R. § 160.103(4)(iv)(1-3) (2014).

[28] American Recovery and Reinvestment Act of 2009 (ARRA), Pub. L. No. 111-5, 123 Stat. 226 (Feb. 17, 2009), codified at 42 U.S.C. §§300jj et seq.; §17901 et seq.

[29] Business associate:

(1) Except as provided in paragraph (4) of this definition, business associate means, with respect to a covered entity, a person who:

(i) On behalf of such covered entity or of an organized health care arrangement (as defined in § 164.501 of this subchapter) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of:

(A) a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or

(B) Any other function or activity regulated by this subchapter; or

(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

45 C.F.R. § 160.103(1)(i-ii) (2014).

[30] It also expanded the maximum fine to $50,000 per violation depending on the culpability level, capping maximum amounts for repeated offenses at $1,500,000 per year for aggregate violations. See HIPAA Enforcement after the Recovery Act, Hall, Render, Killian, Heath & Lyman (March 30, 2009), http://www.hallrender.com/library/articles/1085/033009___Enforcement_after_the_Recovery_Act.pdf. However, HIPAA allows an exception to fines if the violation was due to reasonable cause. 42 USC § 1320d-5(a)(1)(B) (2014). HITECH also proposed allowing individuals to share a percentage of recovery or settlement; HHS had until 2012 to issue the regulation, but this does not appear to have occurred yet. Chris Dimick, HIPAA Violation? Sue me, J. of AHIMA (Mar. 1, 2011), http://journal.ahima.org/2011/03/01/hipaa-violation-sue-me/.

[31] See 45 C.F.R. § 164.502(a) (2014) (explaining general rules on violations and permitted uses of PHI). A “breach” is defined by HHS as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” Breach Notification Rule, U.S. Dep’t of Health and Human Serv., http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html (last visited Mar. 19, 2014).

[32] See, e.g., 42 U.S.C. § 1320d-5(a)(1)(A), (B) (2014).

[33] How OCR Enforces the HIPAA Privacy & Security Rules, U.S. Dep’t of Health and Human Serv., http://www.hhs.gov/ocr/privacy/hipaa/enforcement/process/howocrenforces.html (last visited Jan. 17, 2014) [hereinafter How OCR Enforces].

[34] See 42 U.S.C. § 1320d-5(c)(2) (2014); How OCR Enforces, supra note 32.

[35] How OCR Enforces, supra note 32.

[36] 42 U.S.C. § 1320d-5(a)(2)-(3) (2014).

[37] Id. § 1320d-6; How OCR Enforces, supra note 32.

[38] How OCR Enforces, supra note 32.

[39] Id.

[40] Id. Further, in 2012, HHS reported that 10,454 individuals filed complaints to the OCR, indicating that complaints are not at a minimum. See Health Information Privacy Complaints Received by Calendar Year, U.S. Dep’t of Health and Human Serv., http://www.hhs.gov/ocr/privacy/hipaa/enforcement/data/complaintsyear.html (last visited Jan. 17, 2014) [hereinafter Privacy Complaints] (providing a bar graph to show increasing numbers of HIPAA complaints each year).

[41] Instead, Congress limited enforcement to the Secretary of Health and Human Services, which indicates it did not intend to create private rights of action in individuals aggrieved by HIPAA breaches. Social Security Act, § 1171, 42 U.S.C. § 1320d); Acara v. Banks, 470 F.3d 569, 571 (5th Cir. 2006).

[42] After the HITECH expansion, state attorney generals are now allowed to bring civil damage claims against entities that breach HIPAA, but this does not affect an individual’s right to sue. Dimick, supra note 29. Even then, the attorney generals may be overwhelmed as well and only choose to take the most devastating and detrimental cases.

[43] See, e.g., Acara, 470 F.3d at 569.

[44] See infra Sections II.B-C.

[45] See Individual Right of Action for Medical Records Access: 50 State Comparison, Robert Wood Johnson Found. (Jan. 20, 2014), http://www.healthinfolaw.org/comparative-analysis/individual-right-action-medical-records-access-50-state-comparison [hereinafter 50 State Comparison].

[46] Touche Ross & Co. v. Redington, 442 U.S. 560, 568 (1979) (citation omitted).

[47] See Alexander v. Sandoval, 532 U.S. 275, 275 (2001) (holding that there is no private right of action to enforce disparate-impact regulations promulgated under Title VI of Civil Rights Act of 1964.”); Acara, 470 F.3d at 570 (holding no private cause of action for disclosure of PHI during a deposition); Johnson v. Quander, 370 F. Supp. 2d 79, 100 (D.D.C. 2005) (holding that a convicted robber had no private cause of action under HIPAA when challenging the DNA Act because the Secretary of HHS only had that right); Univ. of Colo. Hosp. v. Denver Pub. Co., 340 F. Supp. 2d 1142, 1145 (D. Colo. 2004) (finding no HIPAA private cause of action because the statute created enforcement means for aggrieved persons); O’Donnell v. Blue Cross Blue Shield of Wyo., 173 F. Supp. 2d 1176, 1179-80 (D. Wyo. 2001) (holding no express or implied private cause of action exists in HIPAA).

[48] Alexander, 532 U.S. at 286-87 (“Without [statutory intent], a cause of action does not exist and courts may not create one, no matter how desirable that might be as a policy matter, or how compatible with the statute.”).

[49] See Acara, 470 F.3d at 572.

[50] HIPAA enforcement has consistently been at a minimum. For example, between 2003 and 2011, the OCR received over 25,000 complaints, but only imposed a formal civil fine in one of these cases. The OCR settled six of these cases. HHS referred 495 cases to the Department of Justice, resulting in only sixteen prosecutions. Rachel Grunberger, Senate Hearings Focus on Lack of HIPAA Enforcement, Final HITECH Rule, Inside Privacy (Dec. 22, 2011), http://www.insideprivacy.com/senate-hearings-focus-on-lack-of-hipaa-enforcement-final-hitech-rule/.

[51] See, e.g., Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 102 A.3d 32, 42 (Conn. Super. Ct. 2014) (holding HIPAA may be used as the standard of care for a negligence claim and HIPAA does not preempt this type of claim); Doe 1631 v. Quest Diagnostics, Inc., 395 S.W.3d 8, 18-19 (Mo. 2013) (allowing a breach of fiduciary claim against defendant after its phlebotomist faxed HIV results without the patient’s permission); R.K. v. St. Mary’s Med. Ctr., Inc., 735 S.E.2d 715, 723 (W. Va. 2012) (holding HIPAA may be used as the standard of care for a negligence claim); Sorensen v. Barbuto, 143 P.3d 295, 299 n.2 (Utah Ct. App. 2006) (holding plaintiff established an action for negligent breach of confidentiality by relying on standards within HIPAA); I.S. v. Washington Univ., No. 4:11CV235SNLJ, 2011 WL 2433585, at *2 (E.D. Mo. June 14, 2011) (“[T]he Court finds that Count III may stand as a state claim for negligence per se despite its exclusive reliance upon HIPAA.”); K.V. v. Women’s Healthcare Network, LLC, 07-0228-CV-W-DW, 2007 WL 1655734, at *1 (W.D. Mo. June 6, 2007) (explaining that the negligence per se claim based on HIPAA violation was a state-law claim); Acosta v. Byrum, 638 S.E.2d 246, 253 (N.C. Ct. App. 2006) (allowing plaintiff to reference HIPAA as baseline evidence of appropriate medical standard of care needed as an element of negligence); Harmon v. Maury Cnty., Tenn., No. 1:05 CV 0026, 2005 WL 2133697, at *3 (M.D. Tenn. Aug. 31, 2005).

[52] Young v. Carran, 289 S.W.3d 586, 588-89 (Ky. Ct. App. 2008) (citation omitted).

[53] State supreme courts wrote two of these notable decisions, demonstrating that at least two states’ highest courts have recognized HIPAA as proof of the standard of care for common law tort claims. See, e.g., Sorensen, 143 P.3d at 299 n.2; R.K., 735 S.E.2d at 723.

[54] It appears that plaintiffs must still prove damages proximately caused by the defendant’s actions, and damages must be legally cognizable. See Alagia, Day, Trautwein & Smith v. Broadbent, 882 S.W.2d 121, 126 (Ky. 1994).

[55] For example, Ohio’s Supreme Court in 1999 held that “an independent tort exists for the unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has learned within a physician-patient relationship” and “a third party can be held liable for inducing the unauthorized, unprivileged disclosure.” Biddle v. Warren Gen. Hosp., 715 N.E.2d 518, 523, 528 (Ohio 1999). This tort only applied to the confidential relationship between the physician and the patient, however. Recognizing the shortcomings of this tort and the growing problem of inadvertent disclosure with other entities before HITECH, the same court created a separate tort solely related to medical records that applies to a broader range of persons not limited to physicians. See Hageman v. Sw. Gen. Health Ctr., 893 N.E.2d 153, 157-58 (Ohio 2008).

[56] See 50 State Comparison, supra note 44 (illustrating California, Delaware, Illinois, Louisiana, Maryland, Massachusetts, Montana, New Hampshire, New York, Tennessee, Washington, West Virginia, Wisconsin, and Wyoming have private causes of action).

[57] See R.K., 735 S.E.2d at 715.

[58] See infra notes 83-109 and accompanying text (explaining the similarities between West Virginia and Kentucky).

[59] The statute explains that “[t]he provisions of this article may be enforced by a patient, authorized agent or authorized representative, and any health care provider found to be in violation of this article shall pay any attorney fees and costs, including court costs incurred in the course of such enforcement.” W. Va. Code § 16-29-1(d) (2011 & Supp. 2014); W. Va. Code § 29B-1-6 (2012) (“Any custodian of any public records who willfully violates the provisions of this article is guilty of a misdemeanor and, upon conviction thereof, shall be fined not less than two hundred dollars nor more than one thousand dollars, or be imprisoned in the county jail for not more than twenty days, or, in the discretion of the court, by both fine and imprisonment.”).

[60] See R.K., 735 S.E.2d at 724.

[61] See 50 State Comparison, supra note 44.

[62] 42 U.S.C. § 1320d-7 (2014), which states in part:

(1) General rule, Except as provided in paragraph (2), a provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d-1 through 1320d-3 of this title, shall supersede any contrary provision of State law, including a provision of State law that requires medical or health plan records (including billing information) to be maintained or transmitted in written rather than electronic form.

(2) Exceptions, A provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d-1 through 1320d-3 of this title, shall not supersede a contrary provision of State law, if the provision of State law

(B) subject to section 264(c)(2) of the Health Insurance Portability and Accountability Act of 1996 [42 USCS § 1320d-2 note], relates to the privacy of individually identifiable health information (emphasis added).

[63] See R.K., 735 S.E.2d at 724.

[64] See 45 C.F.R. § 160.203(a) (2014).

[65] See id. § 160.203(b).

[66] R.K., 735 S.E.2d at 724.

[67] Id. at 717.

[68] Id.

[69] Id. at 718 (iterating claims for outrageous conduct, intentional infliction of emotional distress, negligent infliction of emotional distress, negligent entrustment, breach of confidentiality, invasion of privacy, and punitive damages).

[70] Id. at 719.

[71] 767 N.W.2d 34 (Minn. Ct. App. 2009).

[72] Id. at 38.

[73] Minn. Stat. § 144.335 (2006) (repealed 2007), available at https://www.revisor.mn.gov/statutes/?year=2006&id=144.335 (providing for a private cause of action for the wrongful disclosure of an individual’s medical records); Yath v. Fairview Clinics, 767 N.W.2d 34, 39 (Minn. Ct. App. 2009).

[74] 45 C.F.R § 160.202 (2014); R.K. v. St. Mary’s Med. Ctr., Inc., 735 S.E.2d 715, 721 (W. Va. 2012) (“Just because a distinction exists does not make [a state statute] ‘contrary’ to HIPAA. A state law is ‘contrary’ to HIPAA if a health care provider ‘would find it impossible to comply with both the State and federal requirements’ or if the state law is ‘an obstacle to the accomplishment and execution of the full purposes’ of HIPAA.’”).

[75] R.K., 735 S.E.2d at 722-23 (“The stated purpose of HIPAA is to improve the Medicare and Medicaid programs and ‘the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information.’ . . . Rather than creating an ‘obstacle’ to HIPAA, [Minn. Stat. § 144.334] supports at least one of HIPAA’s goals by establishing another disincentive to wrongfully disclose a patient’s health care record.”).

[76] See 45 U.S.C. §1320d-5 (2014) (imposing criminal penalties); Minn. Stat. § 144.335(3a(e)) (2006) (imposing compensatory damages in a civil action).

[77] See R.K., 735 S.E.2d at 722 (“The difference in remedy is functional only, in that a HIPAA violation subjects a person to criminal penalties.”).

[78] Lampf v. Gilbertson, 501 U.S. 350, 365 (1991) (Scalia, J., concurring in part and concurring in judgment).

[79] See, e.g., Young v. Carran, 289 S.W.3d 586, 589 (Ky. Ct. App. 2008).

[80] See Ky. Rev. Stat. Ann. § 446.070 (2013).

[81] See Yeager v. Dickerson, 391 S.W.3d 388, 393 (Ky. Ct. App. 2013).

[82] Id. at 390.

[83] Id. at 391.

[84] Id. at 394.

[85] Id. “[T]he General Assembly did not intend [KRS § 466.070] ‘to embrace the whole of federal laws and the laws of other states and thereby confer a private civil remedy for such a vast array of violations.’” (citation omitted).

[86] Id.

[87] 50 State Comparison, supra note 44 (utilizing a nationwide map to explain Kentucky has not allowed tort claims).

[88] See supra notes 78-86 and accompanying text.

[89] See Joy L. Pritts, Altered States: State Health Privacy Laws and the Impact of the Federal Health Privacy Rule, 2 Yale J. Health Pol’y L. & Ethics 327(2002) [hereinafter Altered States]. Further, “there is still room for states to protect their own citizens by retaining or enacting health privacy protections that mirror and improve upon those in the [federal legislation].” Id. at 328.

[90] See Yeager v. Dickerson, 391 S.W.3d 388, 394 (Ky. Ct. App. 2013).

[91] See generally id. at 388 (articulating no private recovery for plaintiffs in Kentucky).

[92] Altered States, supra note 88, at 345.

[93] Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 59,923 (Nov. 3, 1999) (to be codified at 45 C.F.R. pts. 160-64).

[94] Altered States, supra note 88, at 347 (“This approach, endorsed by the Privacy Protection Study Commission in the 1970s, ensures that the states will be able to enforce the law and protect their citizens.”) (citing Personal Privacy in an Information Society: The Report of the Privacy Protection Study Commission, U.S. Privacy Prot. Study Comm’n 276-90 (July 1977), available at http://epic.org/privacy/ppsc1977report).

[95] As an example, distrust for the state was so extreme that some rural Kentuckians thought that enrolling in the state-health insurance coverage involved implanting microchips into their arms. McCrummen, supra note 19.

[96] See generally Yeager, 391 S.W.3d at 388 (illustrating Kentucky case law against a private cause of action).

[97] See supra section II.C (articulating West Virginia common law and statutory scheme allowing individuals rights of recovery for disclosures of PHI).

[98] See Yeager, 391 S.W.3d at 388; R.K. v. St. Mary’s Med. Ctr., Inc., 735 S.E.2d 715 (W. Va. 2012).

[99] See Yeager, 391 S.W.3d. at 394.

[100] See R.K., 735 S.E.2d at 724.

[101] Id. at 718; Yeager, 391 S.W.3d at 393.

[102] See R.K., 735 S.E.2d at 721; Yeager, 391 S.W.3d at 394.

[103] See 45 C.F.R § 160.202-.203 (2013).

[104] See R.K., 735 S.E.2d at 721-24 (discussing HIPAA preempting contrary state laws and disallowing any laws impeding HIPAA enforcement).

[105] Wash. Mut. Bank v. Superior Court, 75 Cal. App. 4th 773, 783 (1999) (citation omitted).

[106] The Uninsured in West Virginia, Addiction Tech. Transfer Ctr. Network, http://attcnetwork.org/regcenters/generalContent.asp?rcid=2&content=PARTCUSTOM (last visited Jan 20, 2014) [hereinafter The Uninsured in West Virginia].

[107] Living in rural areas increased the possibilities of being uninsured. See West Virginia, Rural Assistance Ctr. (Dec. 29, 2014), http://www.raconline.org/states/west-virginia.

[108] See How Will the Uninsured in West Virginia Fare Under the Affordable Care Act?, Kaiser Family Found., http://kff.org/health-reform/fact-sheet/state-profiles-uninsured-under-aca-west-virginia/ (last visited Jan. 20, 2014); Interactive: A State-by-State Look at How the Uninsured Fare Under the ACA, Kaiser Family Found., http://kff.org/interactive/uninsured-gap/ (last visited Jan. 19, 2014) (hereinafter Interactive).

[109] The Uninsured in West Virginia, supra note 105.

[110] 5 Years Later: How the Affordable Care Act is Working for West Virginia, U.S. DEP’T OF HEALTH AND HUMAN SERV., http://www.hhs.gov/healthcare/facts/bystate/wv.html (last visited Jan. 20, 2014).

[111] How Will the Uninsured in Kentucky Fare Under the Affordable Care Act?, Kaiser Family Foundation, http://kff.org/health-reform/fact-sheet/state-profiles-uninsured-under-aca-kentucky/ (last visited Jan. 19, 2014) (hereinafter Kaiser Kentucky).

[112] Kentucky, Rural Assistance Ctr. (Sept. 12, 2014), http://www.raconline.org/states/kentucky.

[113] Kaiser Kentucky, supra note 110; Interactive, supra note 107.

[114] How the Health Care Law is Making a Difference for the People in Kentucky, KY and Appalachia Public Health Training Ctr., http://www.uky.edu/kaphtc/resources/policy-development-and-program-planning/how-health-care-law-making-difference-people (last visited Jan. 20, 2014).

[115] 5 Years Later: How the Affordable Care Act is Working for Kentucky, U.S. DEP’T OF HEALTH AND HUMAN SERV., http://www.hhs.gov/healthcare/facts/bystate/wv.html (last visited Jan. 20, 2014).