No Private Right of Action for Medical Information DisclosureOhioHealth Corp. v. Ryan, 2012-Ohio-60.

On January 10, 2012,  the Tenth District Court of Appeals for the State of Ohio upheld the decision of the trial court granting summary judgment for OhioHealth (plaintiff-appellee) on the claim upon account, and a OhioHealth’s motion to dismiss the appellants counterclaim that OhioHealth created false identifiable health information and disclosed it to a third party, damaging the appellant.

OhioHealth filed an action to recover unpaid medical services from James M. Ryan, Jr. for an amount of $1,337.07.  Ryan filed a counterclaim alleging that OhioHealth created false health information by stating that Ryan was uninsured and then disclosed this information to a third party, seemingly damaging Ryan.  OhioHealth filed a motion to dismiss the counterclaim arguing that Ryan can’t bring a private cause of action under the Health Insurance  Portability and Accountability Act of 1996 (HIPAA).  Even if there were a private right of action the “privacy rule” permits OhioHealth to use and disclose protected health information for purposes of treatment, payment and health care operation activities, as it did here.

In response, Ryan cited Biddle v. Warren Gen. Hosp., 86 Ohio St. 3d 395, 1999-Ohio-115, arguing that an independent tort exists for unauthorized disclosure of information to a 3rd party where that information was learned in a confidential relationship.  OhioHealth argues that HIPAA governs “covered entities” like itself and preempts any state law.

The counterclaim failed because HIPAA allows for the release of medical information for payment.  HIPAA governs the confidentiality of medical records and regulates how “covered entities” can use or disclose “individually identifiable health (medical) information (in whatever form) concerning and individual.”  HIPAA has set rules governing the disclosure of individually identifiable health information.

The relevant provision of the “privacy rule” prohibits ‘covered entities’ (generally, health care providers who transmit health information in electronic form, see 45 C.F.R. § 160.103) from using or disclosing an individual’s ‘protected health information’ except where there is a patient consent or the use or disclosure is used for “treatment, payment, or health care operations[.]”

If Biddle allows a claim for an independent tort against a health care provider for the unauthorized, unprivileged disclosure to a third party of nonpublic medical information learned via a physician-patient relationship involving account information (rather than medical records, as with the case in Biddle), appellant’s claim still fails.  First the disclosure here was authorized.  HIPAA permits the disclosure of individually identifiable health information when it is used to recover payment.  Second, state laws contrary to HIPAA are trumped by Federal requirements, unless they meet an exception, which are non-existent in this case.  Most significantly, HIPAA doesn’t allow a private cause of action inOhio law.  Even if a cause of action did exist under HIPAA, the appellant himself lacks the authority to bring it to court.

To view this case in its entirety visit:

Slovin & Associates Co., LPA is a regional law firm serving clients in Ohio, Kentucky, and Indiana, which provides legal services to commercial and consumer credit grantors. Our client’s needs include commercial litigation, collection of past due accounts, landlord tenant matters, bankruptcy services, and compliance with and litigation involving federal and state consumer laws.

Many thanks to Stacey Zeschin for her contributions to this article.  Stacey is a paralegal with Slovin & Associates Co., L.P.A.