HIPAA and state law privacy claims stand while medical malpractice claim falls

The plaintiff (Reed) was injured on the job and taken by his employer to a physician (Rodarte) for treatment. Reed alleged that Rodarte wrongly diagnosed him with a sexually transmitted disease as the cause of his abdominal and groin pain, and opined that his injury was not related to work activity. Plaintiff further alleged Rodarte conveyed this information verbally to his employer, and put the information in a medical record that the employer also was given. Plaintiff sued under HIPAA, state privacy laws, and state defamation laws. Rodarte argued plaintiff’s claims constituted medical malpractice; therefore, under the Indiana Medical Malpractice Act (Act) plaintiff was required to obtain an opinion from a state medical review panel prior to filing suit.

The court held that unauthorized communications by a healthcare provider to third parties regarding the patient’s medical condition did not give rise to an action for medical malpractice, because the communication was not necessarily “made in furtherance of providing health care or professional services to plaintiff.”

The case is interesting because of the intersection between medical malpractice (professional negligence) and HIPAA / state medical privacy and confidentiality laws. In this case, the latter were the viable claim. The court focused on the fact that the allegedly wrongful communication was in itself part of the medical care, and thus not the subject of a professional negligence action.

Risk management is an important part of every healthcare clinical practice or business. Part of liability risk management involves understanding employer – employee issues, and the difference between HIPAA, state medical privacy, and malpractice issues. Contact an experienced healthcare and FDA lawyer for legal and regulatory advice and liability risk management in your healthcare business or practice.