Skip navigation

Louisiana DPS&C HIPAA Lawsuit, Law Office of William Most, 2016

Download original document:
Brief thumbnail
This text is machine-read, and may contain errors. Check the original document to verify accuracy.
Law Office of William Most
637 Kerlerec Street ♦ New Orleans, LA 70116
650-465-5023

williammost@gmail.com
MEMORANDUM

TO:

File

FROM:

William Most

RE:

Louisiana DPS&C HIPAA Lawsuit

DATE:

March 2, 2016

Question Presented:

Has the LA Department of Public Safety and Corrections violated HIPAA by refusing to
give inmates access to their their medical records? And if so, can we enforce it by means
of § 1983?

Short Answer:

Yes to the first question, no to the second. Every case I’ve seen that directly addresses the
question says that 1983 cannot be used as a vehicle to enforce HIPAA violations.
DISCUSSION

I.

HIPAA’s Privacy Rule

“The Health Insurance Portability and Accountability Act of 1996 (HIPAA), which provides for the
promulgation of privacy regulations (the HIPAA Privacy Rule)1 is the key federal law that shapes the legal
environment underlying health information-sharing in correctional contexts. HIPAA provides a baseline standard
of privacy protection for health information—federal and state laws that offer more stringent privacy protections
are not superseded by the Privacy Rule.2” (Melissa Goldstein, Health Information Privacy in the Correctional
Environment (April 2012).)
Relevant portions of the Privacy Rule:
45 C.F.R. 164.524
(a) Standard: Access to protected health information
(1) Right of access. Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual
has a right of access to inspect and obtain a copy of protected health information about the individual in a
designated record set, for as long as the protected health information is maintained in the designated
record set, except for:
(i) Psychotherapy notes; and
(ii) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative
action or proceeding.
(2) Unreviewable grounds for denial. A covered entity may deny an individual access without providing the
individual an opportunity for review, in the following circumstances.
(i) The protected health information is excepted from the right of access by paragraph (a)(1) of this
section.
(ii) A covered entity that is a correctional institution or a covered health care provider acting under the
direction of the correctional institution may deny, in whole or in part, an inmate's request to obtain a
copy of protected health information, if obtaining such copy would jeopardize the health, safety,
security, custody, or rehabilitation of the individual or of other inmates, or the safety of any officer,
                                                            

1
2

45 C.F.R. §§ 160, 164
45 C.F.R. § 160.203. 

March 2016
HIPAA Memorandum

employee, or other person at the correctional institution or responsible for the transporting of the
inmate.
...
(b) Implementation specifications: Requests for access and timely action
(1) Individual's request for access. The covered entity must permit an individual to request access to
inspect or to obtain a copy of the protected health information about the individual that is maintained in a
designated record set. The covered entity may require individuals to make requests for access in writing,
provided that it informs individuals of such a requirement.
(2) Timely action by the covered entity.
(i) Except as provided in paragraph (b)(2)(ii) of this section, the covered entity must act on a request
for access no later than 30 days after receipt of the request as follows.
(A) If the covered entity grants the request, in whole or in part, it must inform the individual of
the acceptance of the request and provide the access requested, in accordance with paragraph
(c) of this section.
(B) If the covered entity denies the request, in whole or in part, it must provide the individual
with a written denial, in accordance with paragraph (d) of this section.
Note: The section about incarcerated inmates left out the word “inspect.” Incarcerated inmates may be
denied a copy of their records, but the relevant section does not say they can’t inspect their records.
“As explained by the drafters of the Rule, the purpose for the exception, and the reason that the exception
is limited to denying an inmate a copy of the PHI, is to “give correctional institutions the ability to maintain order
in these facilities and among inmates without denying an inmate the right to review his or her protected health
information.” (Health Information Privacy in the Correctional Environment, citing Department of Health and
Human Services, Final Rule, Preamble, 65 Fed. Reg. at 82555.)
II.

Relevant State Law and Prison Policies

DOC has a number of overlapping and contradictory policies. (Compare HC-33 § 11(A) (“Medical
records . . . shall be available to anyone having a legitimate interest”) with HC-25 § 5(b)(3) (“Persons who are not
direct health care providers shall not be given access to health records/information of an offender.”).)
A.

State Law Equivalent – 1299.96

A.

R.S. 44:7 Hospital records

C. Whenever the past or present condition, sickness or disease, physical or mental, of any patient treated
in any hospital, adult or juvenile correctional institution, center or school, set forth in Subsection A of this Section
shall be at issue or relevant in any judicial proceeding, the charts, records, reports, documents and other
memoranda referred to in said Subsection A shall be subject to discovery, subpoena and introduction into
evidence in accordance with the general law of the state relating to discovery, subpoena and introduction into
evidence of records and documents.
B.

22 LAC § 101(H)(1):

2
 

March 2016
HIPAA Memorandum

“Access to and release of medical records is governed by R.S. 44:7 and Health Care Policy No. HC-33
“Offender Medical Records.”
C.

Department Regulation No. B-03-004 (20 January 2009)

“Access to and release of medical records is governed by La. R.S. 44:7 and Health Care Policy No. HC33 ‘Offender Medical Records.’”
D.

Health Care Policy No. HC-33 “Offender Medical Records”

§ 6(B): “Medical information shall not be disclosed to anyone except in accordance with Health Care
Policy No. HC-25 ‘Confidentiality’ and applicable state and federal law.”
§6(E): “Offenders shall not be allowed access to their medical record or the medical record of other
offenders unless authorized by the Warden or designee.”
§ 11(A): “Medical records, except psychiatric records (which includes any psychological or mental health
records), shall be available to anyone having a legitimate interest, provided the offender or in case of death, the
legal heir or next of kin, has consented in writing to their release utilizing the Authorization to Release Medical
Information (Form HC-33-A). Upon receipt of advance payment of the copying charges, the medical records shall
be released.
§ 11(H): The Department does not conduct covered transactions defined in the Health Insurance and
Portability Act of 1996 (HIPPA) [sic] and therefore, is not a “covered entity’ under HIPPA.
E.

Health Care Policy No. HC-25 “Confidentiality”

§ 5(b)(3): “Persons who are not direct health care providers shall not be given access to health
records/information of an offender. Any disclosure of such health information shall be approved by the Health
Authority.”
§ 5(b)(8): “Only the information necessary to preserve the health and safety of an offender, other
offenders, volunteers, visitors or correctional staff shall be released regarding an offender’s health status.”
To Get:
 Authorization to Release Medical Information (Form HC-33-A).
 Health Information Disclosure Reference Chart (attachment to HC-33)
III.

Is the DOC A Covered Entity?

The DOC claims it isn’t. (HC-33 § 11(H): “The Department does not conduct covered transactions
defined in the Health Insurance and Portability Act of 1996 (HIPPA) [sic] and therefore, is not a “covered entity’
under HIPPA.”)
But, in its contracts with hospitals, it says “Each party agrees to comply with [HIPAA] . . . including,
without limitation, the federal privacy regulations contained in 45 C.F.R. Parts 160 and 164 . . . 142” (Bruce
Reilly Files “Payments, reimbursements, Medicaid” at 307-308.)
3
 

March 2016
HIPAA Memorandum

According to one commentator:
In response to the initial version of the Privacy Rule, which would have excluded the individually
identifiable health information of correctional facility inmates from the definition of PHI because
“unimpeded sharing of inmate identifiable health information is crucial for correctional and detention
facility operations,”3 DHHS received many, ultimately persuasive, comments arguing that excluding
such information from protection sends the message that, with respect to this population, abuses do not
matter. Commenters argued that, on the contrary, inmates have a right to privacy in their health
information and that information obtained in these settings can be misused. . . The drafters of the final
regulation were persuaded by these arguments and eliminated the exception.4 . . .
Guidance produced by the Centers for Medicare and Medicaid Services indicates that such institutions
therefore are not health care clearinghouses or health plans within the meaning of the Rule.5 A
correctional institution’s status as a covered entity would then depend solely on its qualification (or lack
thereof) as a health care provider who transmits health information in electronic form in connection with a
covered transaction. That is, if the organization “furnishes, bills, or is paid for health care in the normal
course of business”6 and transmits information in electronic form in connection with one of the following
eight types of transactions, it is a covered entity and must comply with HIPAA: health care claims or
equivalent encounter information; eligibility for a health plan; referral certification and authorization;
health care claim status; enrollment and disenrollment in a health plan; health care payment and
remittance advice; health plan premium payments; and coordination of benefits.
Although correctional institutions are not likely to engage in most of the transaction types specified by the
regulations, it is conceivable that one might transmit clinical encounter information for the purpose of
reporting health care; request review of health care in order to secure an authorization; and/or receive
payment of health care claims from a private or public health plan. If the correctional institution
electronically transmits one of these transactions or has a contract with another provider who transmits
the health care information electronically, it will be required to comply with HIPAA.7
Melissa M. Goldstein, Health Information Privacy in the Correctional Environment (April 2012).
https://www.statereforum.org/system/files/hit_corrections.pdf

                                                            
3

Department of Health and Human Services, Standards for Privacy of Individually Identifiable Health Information; Proposed
Rule, 64 Fed. Reg. 59918-60065, 59938 (November 3, 1999).
4
Department of Health and Human Services, Standards for Privacy of Individually Identifiable Health Information; Final
Rule, Preamble, 65 Fed. Reg. 82462-82829, at 82540-82541, 82622 (Dec. 28, 2000).
5
See US Department of Health and Human Services, Centers for Medicare and Medicaid Services (CMS). Covered Entity
Charts: Guidance on How to Determine Whether an Organization or Individual is a Covered Entity Under the Administrative
Simplification Provisions of HIPAA, http://www.cms.gov/HIPAAGenInfo/ Downloads/CoveredEntitycharts.pdf (accessed
March 2012).
6
“Health care provider” is defined as “a provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a
provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or
organization who furnishes, bills, or is paid for health care in the normal course of business.” 45 C.F.R. § 160.103.
7
45 C.F.R. §§ 162 Subparts J-R; See CMS, Covered Entity Charts 

4
 

March 2016
HIPAA Memorandum

Source: Corrections, Law Enforcement & the Courts
We know that at least LSP uses the Eceptionist electronic system to schedule surgeries for patients. (E.g.,
Eceptionist Doc.) This may constitute a “referral certification, authorization.” Also, LSP participates in a
telemedicine program. More investigation is necessary here to determine whether these activities bring the DOC
within the scope of HIPAA.
There may be other ways of the DOC being covered. According to another commentator:
If the correctional institution does employ its own health care providers (including psychiatrists,
psychologists, etc.) and, say, checks a prisoner’s eligibility to receive Medicare, Medicaid or veteran’s benefits
with the intent of taking advantage of those health plan benefits (all of these referenced “plans” are
governmental but are specifically defined as covered entity health plans pursuant to HIPAA) to offset the costs
to the correctional institution and eligibility is checked through a web site, the correctional institution (or at
least the health care part of the correctional institution) would be a covered entity health care provider pursuant
to the HPAA Administrative Simplification Provisions because eligibility verification is a HIPAA transaction
and HIPAA specifically allows the use of web based transactions instead of batch transactions (it is called
direct data entry or DDE).
If the correctional institution medical staff check eligibility via a web site, this would make the
correctional institution a hybrid entity – part covered by HIPAA and part not. Even if state laws allow
correctional institution to withhold certain healthcare information, HIPAA would trump because it provides the
correctional institution, as an individual, greater access to his or her medical information (considered more
stringent than state law). All states have differing laws around health care information and prisoners as it
relates to the release of medical records. If the prison is found to be a hybrid entity, though, they cannot
withhold the mental/behavioral health information relating to the prisoner’s treatment. See 45 CFR
164.512(k)(5)(ii).
(Chris Apgar, HIPAA – Even States Must Comply.)
5
 

March 2016
HIPAA Memorandum

IV.

DOC’S Violations of HIPAA

Assuming the DOC is covered by HIPAA, some provisions of the DOC policies may be facial violations
of HIPAA’s Privacy Rule. (E.g., HC-25 § 5(b)(3): “Persons who are not direct health care providers shall not be
given access to health records/information of an offender.”)
DOC practices may also violate the Privacy Rule. The DOC’s failure to respond at all to requests for
medical records access should violate 45 C.F.R. 164.524(b)(2)(i) (“the covered entity must act on a request for
access no later than 30 days after receipt of the request”). Or, if the DOC is denying requests without a
individualized assessment of the risk associated with records disclosure, it is likely violating 45 C.F.R.
164.524(a)(2)(ii).
V.

Can We Use 1983 As a Cause of Action for the DOC’s HIPAA Violations?

No. Every case I’ve seen that directly addresses the question says that 1983 cannot be used as a vehicle to
enforce HIPAA violations.
A.

Background

“While HIPAA imposes a host of obligations on covered entities in an attempt to increase patient privacy,
it does not explicitly create any individual rights for patients affected by medical privacy violations. Therefore, a
patient who has been seriously harmed as a result of these privacy leaks cannot bring a lawsuit against the
responsible party.” Joshua Collins, Toothless HIPAA: Searching for a Private Right of Action to Remedy Privacy
Rule Violations, Vanderbilt L. Rev. Vol. 60:1:199 (January 2007.)
Since Thiboutot, § 1983 has played an important role in the enforcement of private rights
by empowering private citizens to bring actions against those who are not in compliance with
constitutional or statutory requirements. However, the Court has chipped away at Thiboutot’s
broad interpretation of § 1983, a trend culminating in Gonzaga University v. Doe8 and City of
Rancho Palos Verdes v. Abrams.9
...
Plaintiffs seeking to use § 1983 to redress Privacy Rule violations must allege that
HIPAA gives them the right to medical privacy and that the defendant deprived them of this right
by disclosing their private medical information. However, the Supreme Court’s trend toward
limiting the applicability of § 1983 makes it doubtful that a plaintiff could successfully use §
1983 to enforce a violation of HIPAA’s Privacy Rule. The Privacy Rule ostensibly lacks the
explicit rights-creating language that the court required in Gonzaga. Additionally, Abrams poses a
barrier to the use of § 1983 to enforce Privacy Rule violations since the administrative remedies
set forth by HIPPA arguably preclude resort to § 1983.
(Toothless HIPAA at 202, 208.)

                                                            

8
9

Gonzaga Univ. v. Doe, 536 U.S. 273 (2002).
City of Ranch Palo Verdes v. Abrams, 544 U.S. 113 (2005). 

6
 

March 2016
HIPAA Memorandum

B.

Case law specifically addressing HIPAA and 1983

“Defendants move for dismissal of plaintiffs’ complaint on the ground that HIPAA creates no private
right of action enforceable under § 1983. It does not, so I must dismiss plaintiffs’ § 1983 claims.” Richard Clyde
Adams v. Eureka Fire Protection District, Case No. 4:08CV1309 CDP (E.D. Missouri 01/08/09).
“It is well established that, because there is no private right to action under HIPAA, a violation of the Act
cannot serve as the basis of a § 1983 claim.” Rodgers v. RENSSELAER COUNTY SHERIFF'S DEPARTMENT
No. 1:14-CV-01162 (N.D. NY. July 17, 2015).
"Since HIPAA does not create a private right, it cannot be privately enforced . . . via § 1983. . . ." Dade v.
GAUDENZIA DRC, INC., Dist. Court, ED Pennsylvania 2013, citing Adams v. Eureka Fire Prot. Dist., 352 F.
App'x 137, 138 (8th Cir. 2009)
“HIPAA provides no private right of action enforceable in a section 1983 action.” Taylor v. Sherman,
Civil Action No. 13-00516-KD-M, (S.D. Alabama February 26, 2014).
“Because HIPAA does not include any express or implied right, plaintiff cannot enforce
any HIPAA rights in a section 1983 action.” Woods v. Colon, Case No. 3:14-cv-1467 (VLB) (D. Conn. October 6,
2015.)
VI.

False Claims Act?
A plaintiff attempting to establish a cause of action under the FCA for a Privacy Rule violation
must prove two major elements. First, the plaintiff must show that the covered entity either expressly or
impliedly certified compliance with HIPAA regulations. The plaintiff may be able to point to an actual
representation of compliance since Medicare laws expressly require claimants to certify compliance with
all federal laws.120 However, even absent evidence that claimants have expressly certified compliance,
the plaintiff could proceed under the implied false certification theory by arguing that Medicaid hospitals
have an affirmative duty to ensure compliance with all HHS regulations.121
Second, the plaintiff must prove that a recent Privacy Rule violation made the representation of
compliance legally false. In the current health care climate, where Privacy Rule violations occur on a
regular basis, this second requirement would be easily met.

(Toothless HIPAA at 218.)
But Toothless HIPAA comes up with many reasons not to use the FCA for HIPAA enforcement.
VII.

Other Recourse

File a “complaint with the Department of Health and Human Services (“HHS”).10 If HHS decides to pursue a
victim’s complaint, it may impose fines against the responsible covered entity.11 However, since HIPAA’s
                                                            

10
11

45 C.F.R. § 160.306.
42 U.S.C. § 1320d-6(b) (2006). 

7
 

March 2016
HIPAA Memorandum

enactment, HHS has rarely imposed fines or criminal sanctions.12 Regardless of any enforcement action taken by
HHS, the victim will not be compensated for the harm caused by this breach of privacy.” (Toothless HIPAA at
202.)
Phone call with Elizabeth Cumming on 3/3/2016 – she suggested that the Privacy Rule could be enforced under
tort law – that it might be the standard of care.
VIII.

Does HIPAA Supersede This State Law?

“A provision…requirement…or a standard or implementation specification adopted or established…shall
supersede any contrary provision of State law, including a provision of State law that requires medical or health
plan records (including billing information) to be maintained or transmitted in written rather than electronic
form.”
But a “provision or requirement under this part, or a standard or implementation specification adopted or
established under sections 1172 through 1174, shall not supersede a contrary provision of State law, if the
provision of State law— . . . (B) subject to section 264(c)(2) of the Health Insurance Portability and
Accountability Act of 1996, relates to the privacy of individually identifiable health information.” Public Law
191, 110 Stat. 2030, 104th Congress, 2nd Session (21 August 1996), Health Insurance Portability and
Accountability Act.
IX.

Other States Records Policies

“Several state correctional systems have declared themselves a “covered entity” under the provisions of HIPAA
(e.g., Florida). Other states have determined that their correctional systems are not covered entities (e.g.,
Washington), but have ongoing efforts to assure reasonable compliance.” Dave Thomas and Jacqueline Thomas,
HIPAA and YOU Covered Entities— Do you even have to bother? AMERICAN JAILS (March/April 2003).
The Massachusetts Department of Public Health regulations, which apply to all correctional facilities,
including jails, require the jail to allow prisoners to inspect and have copies of their medical records.
http://www.mass.gov/courts/docs/lawlib/104-105cmr/105cmr205.pdf
Texas has recognized prisoners’ right to access PHI for many years. Op.Atty.Gen.1981, No. MW-381
(quoting that ‘with regard to all Texas Department of Corrections medical records which are generated or held by
a physician, an inmate has a statutory right of access unless the physician determines that access "would be
harmful to the physical, mental or emotional health" of the inmate’).
California:

West's Ann.Cal.Civ.Code § 56.35
§ 56.35. Compensatory and punitive damages; attorneys' fees and costs
                                                            
12

According to one report, HHS had not yet brought a single civil enforcement action under HIPAA as of November, 2005.
Joseph Conn, Ruling Called HIPAA Barrier, MODERN HEALTHCARE, Nov. 14, 2005, at 16. There has only been one
criminal conviction under HIPAA. United States v. Gibson, No. CR04-0374RSM, 2004 WL 2188280 (W.D. Wash. Aug. 19,
2004); Trial Pleading, United States v. Gibson, No. CR04-0374RSM, 2004 WL 2237585 (W.D. Wash. Aug. 19, 2004).

8
 

March 2016
HIPAA Memorandum

In addition to any other remedies available at law, a patient whose medical information has been used or
disclosed in violation of Section 56.10 or 56.104 or 56.20 or subdivision (a) ofSection 56.26 and who has
sustained economic loss or personal injury therefrom may recover compensatory damages, punitive damages
not to exceed three thousand dollars($3,000), attorneys' fees not to exceed one thousand dollars ($1,000), and
the costs of litigation.
West's Ann.Cal.Civ.Code § 56.36
§ 56.36. Misdemeanors; violations; remedies
(a) Any violation of the provisions of this part that results in economic loss or personal injury to a patient is
punishable as a misdemeanor.
(b) In addition to any other remedies available at law, any individual may bring an action against any person
or entity who has negligently released confidential information or records concerning him or her in violation
of this part, for either or both of the following:
(1) Except as provided in subdivision (e), nominal damages of one thousand dollars ($1,000). In order to
recover under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened with actual
damages.
(2) The amount of actual damages, if any, sustained by the patient.
(c)(1) In addition, any person or entity that negligently discloses medical information in violation of the
provisions of this part shall also be liable, irrespective of the amount of damages suffered by the patient as a
result of that violation, for an administrative fine or civil penalty not to exceed two thousand five hundred
dollars ($2,500) per violation.
X. Can An Inmate’s Lawyers Get Access to Medical Records?
From the HHS FAQs:
Q:

Can the personal representative of an adult or emancipated minor obtain access to the individual's medical
record?

A:

The HIPAA Privacy Rule treats an adult or emancipated minor’s personal representative as the individual
for purposes of the Rule regarding the health care matters that relate to the representation, including the
right of access under 45 CFR 164.524. The scope of access will depend on the authority granted to the
personal representative by other law. If the personal representative is authorized to make health care
decisions, generally, then the personal representative may have access to the individual’s protected health
information regarding health care in general. On the other hand, if the authority is limited, the personal
representative may have access only to protected health information that may be relevant to making
decisions within the personal representative’s authority. . . . There is an exception to the general rule that
a covered entity must treat an adult or emancipated minor’s personal representative as the individual.
Specifically, the Privacy Rule does not require a covered entity to treat a personal representative as the
individual if, in the exercise of professional judgment, it believes doing so would not be in the best
interest of the individual because of a reasonable belief that the individual has been or may be subject to
domestic violence, abuse or neglect by the personal representative, or that doing so would otherwise
endanger the individual.

XI.

Cost of Access to Records
9

 

March 2016
HIPAA Memorandum

From the HHS FAQs:
Q:

If patients request copies of their medical records as permitted by the Privacy Rule, are they required to
pay for the copies?

A:

The Privacy Rule permits the covered entity to impose reasonable, cost-based fees. The fee may include
only the cost of copying (including supplies and labor) and postage, if the patient requests that the copy
be mailed. If the patient has agreed to receive a summary or explanation of his or her protected health
information, the covered entity may also charge a fee for preparation of the summary or explanation. The
fee may not include costs associated with searching for and retrieving the requested information. See 45
CFR 164.524.
The HITECH Act does not create a private right of action, but it does give financial incentives to
complainants. Individuals who are harmed by HIPAA violations may now be able to share in any monetary
penalties or settlements collected as a result of those violations. - See more
at:https://www.shrm.org/legalissues/federalresources/pages/intensifiedhipaaenforcement.aspx#sthash.NXklnK
Gl.dpuf
Note: CC attorney general, who can sue for civil violations of HIPAA

10