Since HIPAA’s creation almost 25 years ago, many have long suspected that, eventually, a provider’s failure to comply with HIPAA might result in a patient’s recovery of economic damages as a result. Although HIPAA violations can lead to economic penalties imposed by the U.S. Department of Health and Human Services Office for Civil Rights, HIPAA does not include a mechanism for patients to seek economic damages from non-compliant providers. However, the Arizona Supreme Court recently determined that HIPAA standards can be used in the context of a patient’s claim against a provider for negligently disclosing protected information.
Understanding when and how a provider may disclose a patient’s information is tricky. Typically, a provider discloses an individual’s protected health information to the individual, the individual’s family or specifically-authorized representatives, or pursuant to a subpoena. However, in each instance, a provider can only disclose such information pursuant to Arizona’s medical records statute and HIPAA.
In a case decided earlier this month, the Arizona Supreme Court clarified that Arizona’s medical records statute “affords healthcare providers immunity from liability for damages if they acted in good faith when disclosing medical information pursuant to applicable law.” However, although HIPAA does not include a private right of action, the Court concluded that HIPAA is applicable to defining the standard of care in a state law negligence claim. Thus, although Arizona law may protect against liability for good faith disclosures of a patient’s protected information, understanding when and how disclosures are allowed under HIPAA and Arizona’s medical records statute is essential.
For any questions on the above, please contact Jim Taylor or Chelsea Gulinson at 602-792-3500.
 A.R.S. § 12-2296.
 Shepherd v. Costco Wholesale Corp., 2021 WL 941432.