News and Insights

Visit regularly for up-to-date information on relevant news, firm announcements and additions to our AZ Health Law Blog.

By Chelsea L Gulinson, Esq. and James R. Taylor, Esq. Milligan Lawless, P.C

Since HIPAA’s creation almost 25 years ago, many have long suspected that, eventually, a provider’s failure to comply with HIPAA might result in a patient’s recovery of economic damages as a result.  Although HIPAA violations can lead to economic penalties imposed by the U.S. Department of Health and Human Services Office for Civil Rights, HIPAA does not include a mechanism for patients to seek economic damages from non-compliant providers.  However, the Arizona Supreme Court recently determined that HIPAA standards can be used in the context of a patient’s claim against a provider for negligently disclosing protected information.  

Understanding when and how a provider may disclose a patient’s information is tricky.  Typically, a provider discloses an individual’s protected health information to the individual, the individual’s family or specifically-authorized representatives, or pursuant to a subpoena.  However, in each instance, a provider can only disclose such information pursuant to Arizona’s medical records statute[1] and HIPAA.  

In a case decided earlier this month, the Arizona Supreme Court clarified that Arizona’s medical records statute “affords healthcare providers immunity from liability for damages if they acted in good faith when disclosing medical information pursuant to applicable law.”[2]  However, although HIPAA does not include a private right of action, the Court concluded that HIPAA is applicable to defining the standard of care in a state law negligence claim.[3]  Thus, although Arizona law may protect against liability for good faith disclosures of a patient’s protected information, understanding when and how disclosures are allowed under HIPAA and Arizona’s medical records statute is essential.

For any questions on the above, please contact Jim Taylor or Chelsea Gulinson at 602-792-3500.


[1] A.R.S. § 12-2296.

[2] Shepherd v. Costco Wholesale Corp., CV-19-0144-PR, 2021 WL 941432, at *1 (Ariz. Mar. 8, 2021).

[3] Id.


The HITECH Act, which amended HIPAA, requires the Office for Civil Rights (“OCR”) to audit physician practices and other “covered entities” for compliance with HIPAA requirements. The OCR performed a pilot phase of 115 audits conducted between November 2011 and October 2012. The OCR will target all types of covered entities, including “small providers,” which include most physician practices.

The OCR’s audit assesses compliance against 77 security standards, or “protocols,” and 88 protocols relating to privacy and breach notification standards. In its initial 20 audits, the OCR found that 77% of the privacy audit issues, and 61% of the security audit issues, occurred in the small providers. The protocols emphasize extensive documentation, including written policies and risk assessments, compliance activities, training programs, and even documentation of decisions not to take certain compliance or security steps.

The OCR will review practices’ “processes, controls, and policies” to assess whether the practices are complying with the Privacy, Security, and the Breach Notification Rules. The audit mandate requires the OCR to review Privacy Rule requirements including (1) notice of privacy practices for “protected health information” (“PHI”), (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures. For the Security Rule, the OCR will review a practice’s administrative, physical, and technical safeguards. The OCR will assess a practice’s compliance with the Breach Notification Rule, including a practice’s assessment of the chances of experiencing a breach; what to do in the event of a breach; and the ongoing obligations in the event of a breach. Deficiencies found in audits of “business associates” of practices, which will be performed in a later audit waive, may lead to an audit of the practice. 

The OCR’s discovery of a violation of HIPAA requirements may result in significant fines and potential exclusion from the Medicare program.

For a more detailed examination of the audit protocols, click here.