PHILADELPHIA (CN) – State court is the best venue for a lawsuit accusing insurers of losing a flash drive containing a trove of confidential medical information about more than 280,000 children, a federal judge ruled.
The device “went missing” from the corporate offices of Keystone Mercy Health Plan and affiliate AmeriHealth Mercy Health Plan in September 2010, according to a proposed class action filed in state court earlier this year.
Lead plaintiff Avrum Baum said the privacy of his daughter, Chaya, was compromised because the insurers allowed employees to routinely attend “community health fairs” with the unencrypted drive, even though it contained “names, addresses, phone numbers, both AmeriHealth and Keystone insurance identification numbers, full and partial social security numbers, sensitive financial information, and sensitive health histories.”
The insurers removed the case to federal court in February.
Weeks later, Baum moved to remand the case to a state court in Philadelphia.
Opposing remand, the insurers said Baum’s suit conferred federal jurisdiction because Baum was asking a court to interpret the so-called privacy rule outlined in the Health Insurance Portability & Accountability Act (HIPAA), which Congress enacted in 1996.
Congress and the executive branch “have evinced a strong interest in maintaining the national uniformity of the Privacy Rule,” the companies argued, adding that the rule is nebulous and “requires significant interpretation.”
“Thus, when plaintiff alleges that the Privacy Rule requires ‘appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information,’ the court is going to be compelled to determine what is ‘appropriate’ and, indeed, what constitutes the zone of protected ‘privacy,'” attorneys for the insurers argued.
Allowing state courts to interpret HIPAA’s privacy rule “would flout the congressional intent to maintain the national uniformity of HIPAA” and “would eventually turn the core set of privacy protections that congress sought to protect, through uniform federal interpretation, into a ‘patchwork quilt’ of conflicting state court interpretations,” according to their brief.
But U.S. District Judge Anita Brody emphatically disagreed last week.
“If I were to find jurisdiction and allow this case to proceed in federal court, I would federalize an entire category of state tort claims when Congress has not indicated any intent to do so,” she wrote, remanding the case to state court.
It is well established that there is no federal private right of action under HIPAA, she noted in a seven-page opinion.
Baum’s case does not present a substantial dispute over a federal issue, the decision states, adding that Pennsylvania maintains an information-security statute that is more stringent than HIPAA.
“In spite of the fact that the personal data at the heart of this case is protected by HIPPA, this is a fairly straightforward state-law tort case,” Brody ruled.