In a July 2012 decision by an Ohio District Court, Cabotage v. Ohio Hospital for Psychiatry LLC, the Court ruled that it did not have the jurisdiction under HIPAA to compel Ms. Cabotage, a former employee, to return stolen records to the Ohio Hospital for Psychiatry, LLC (OHP) and Behavioral Centers of America, LLC (BCA), her former employer. However, citing its inherent authority, the Court precluded Ms. Cabotage from using the stolen records against the Defendants without first requesting that such documents be produced through normal discovery methods.

BCA employed Ms. Cabotage as a registered nurse at OHP. During her employment, she became suspicious that the Medical Director was engaged in illegal activities and began to document her suspicions. She recorded her observations on forms that listed patient information and she took the records home. She shared the records with the Department of Health and Human Services which declined to pursue a claim against OHP. Ms. Cabotage also contacted a patient's family member allegedly without authorization. OHP subsequently terminated Ms. Cabotage's employment for "fraternizing with patients' families outside of work," and she filed suit alleging violations of the False Claims Act, Ohio's Nurses Whistleblower Act, and Ohio's public policy. Through discovery requests, OHP learned that Ms. Cabotage had PHI and filed a Motion for Return of Confidential Patient Information, arguing that HIPAA requires OHP to seek the return of the documents. Ms. Cabotage, on the other hand, argued that she needed the documents in order to support her claims.

In denying OHP's motion, the Court ruled that HIPAA does not confer jurisdiction upon the Court "to remedy violations private parties bring to its attention." That is, by asking the Court to compel Ms. Cabotage to return the documents, OHP was asking the Court to enforce HIPAA. Because HIPAA does not provide a private cause of action, the court could not enforce HIPAA. Instead, HIPAA confers jurisdiction on the Secretary of Health and Human Services. "Thus, to the extent Plaintiff's continued possession of the documents at issue violates HIPAA, the Secretary of Health and Human Services (HHS), not this Court, is the only party authorized to enforce the Act."

Nevertheless, the Court relied upon its inherent authority and ruled that Ms. Cabotage was precluded from using the documents she stole because the documents contained sensitive and possibly privileged information of third-parties who were not parties to the litigation between her and her former employer. Instead, Ms. Cabotage was required to use normal discovery means to request the disclosure of the documents, at which point OHP could seek a protective order for its patient records.

This case serves as a reminder to covered entities and business associates that HIPAA cannot be used as both a shield and a sword. That is, just as HIPAA does not grant a private right of action to patients, it similarly does not grant a private right of action to covered entities and business associates. Thus, those seeking to redress violations of HIPAA must file a complaint with the Office of Civil Rights, which is the division of HHS responsible for enforcing HIPAA, and may not use the courts to fight such battles.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.