RENDERED: JANUARY 31, 2025; 10:00 A.M. TO BE PUBLISHED
Commonwealth of Kentucky Court of Appeals NO. 2024-CA-0022-MR
WYATT LEDFORD APPELLANT
APPEAL FROM JEFFERSON CIRCUIT COURT v. HONORABLE PATRICIA MORRIS, JUDGE ACTION NO. 21-CI-006141
UOFL HEALTH-LOUISVILLE, INC.; JESSICA DAWN CAMPBELL; MARTHA MATHER; AND UOFL HEALTH, INC. APPELLEES
OPINION REVERSING AND REMANDING
** ** ** ** **
BEFORE: CETRULO, COMBS, AND A. JONES, JUDGES.
JONES, A., JUDGE: The Appellant, Wyatt Ledford, brings this appeal from the
Jefferson Circuit Court’s order dismissing his common law invasion of privacy and
negligence claims against UofL Health-Louisville, Inc., Jessica Dawn Campbell,
Martha Mather, and UofL Health, Inc. (collectively referred to herein as
“Appellees”) with prejudice. The circuit court determined that the claims were preempted by the Health Insurance Portability and Accountability Act of 1996
(“HIPAA”). Having reviewed the record and being sufficiently advised, we
reverse and remand.
I. BACKGROUND
Peace Hospital (“Peace”) is a private, not-for-profit behavioral health
care hospital owned and operated by UofL Health. Mr. Ledford, a transgender
man, was employed at Peace from August 2018 until October 30, 2020.1 During
this period, Mr. Ledford also volunteered at Peace, leading group therapy sessions
twice weekly.
In October 2020, after the death of a family member, Mr. Ledford
began experiencing suicidal ideations. On October 21, 2020, a friend took Mr.
Ledford to Norton’s Hospital in Louisville, Kentucky, where he was admitted as a
psychiatric patient. Dissatisfied with his care, Mr. Ledford discharged himself on
October 24, 2020, and sought treatment at Baptist Healthcare East (“Baptist”).
Baptist determined Mr. Ledford needed psychiatric admission, but it lacked
available beds. Baptist staff advised Mr. Ledford that Peace was the only nearby
facility that could meet his care needs.
1 Initially, Mr. Ledford worked at Peace from August 2018 until April 2020. He resumed part- time work at Peace in August 2020 and remained employed until he resigned on October 30, 2020.
-2- Mr. Ledford was hesitant to seek treatment at Peace due to his
professional ties with the staff there but after consulting his colleague, Dr. Sunil
Chhibber, he decided to proceed. Upon arriving at Peace on October 24, 2020, Mr.
Ledford identified himself as a transgender male. Peace staff informed him that
because he was transgendered, Peace policy required him to be placed in a private
room; however, no private rooms were available at that time. Mr. Ledford was
asked to wait in a public area until a private room became available.
Eighteen hours later, Mr. Ledford was assigned to a room on the 1-
Lourdes Unit, where he routinely worked as a therapist. Concerned about
professional boundaries, Mr. Ledford requested placement in another unit, but
Peace staff refused to accommodate his request at that time. As a result, Mr.
Ledford was admitted to the 1-Lourdes Unit and attended group therapy alongside
patients he had previously led in a professional capacity just a few days prior.
On October 26, 2020, Lead Clinician Mary Skaggs informed Mr.
Ledford that he was being transferred to the 2-East Unit. Two days later, Peace
staff allegedly told Mr. Ledford that his medical records had been improperly
accessed by employees outside his treatment team. Mr. Ledford asserts that his
records contained sensitive information about his mental health and past traumas,
and that their unauthorized access by his co-workers caused him significant
distress.
-3- Mr. Ledford was discharged from in-patient care at Peace on October
29, 2020. Believing the alleged privacy violations left him no choice, Mr. Ledford
resigned his employment with Peace the next day. In his resignation letter to Peace
Chief Administrative Officer Martha Mather and University of Louisville President
Neeli Bendapudi, Mr. Ledford cited these experiences as his reasons for leaving.
After resigning, Mr. Ledford was allegedly informed that numerous
Peace employees outside his care team accessed and printed his medical records,
further compounding his distress. For example, Mr. Ledford asserts that four days
after his discharge, Jessica Dawn Campbell, Peace’s Director of Patient Intake and
Mr. Ledford’s supervisor, printed Mr. Ledford’s Peace Needs Assessment on
several occasions. He further alleges that over the coming days, he learned that his
electronic medical records had been accessed numerous times from locations
outside the units he was assigned during his stay such as private offices, a pediatric
unit, and a unit for the severely mentally ill.
On October 27, 2021, Mr. Ledford filed a complaint against Peace and
two of its personnel, Martha Mather and Jessica Dawn Campbell.2 In Paragraph
2 Mr. Ledford’s complaint also named certain “unidentified John and Jane Does” who he asserts “are employees and/or agents of UofL Health who accessed [his] protected health information and medical records without authorization and with no medically necessary reason related to [his] treatment at Peace.” Mr. Ledford explained that as he obtained additional information through discovery, he would amend his complaint to add these specific individuals by name.
-4- seven of his complaint, Mr. Ledford asserted that all causes of action were being
“brought pursuant to the common law of the Commonwealth of Kentucky.”
After laying out the factual basis for his claims, Mr. Ledford alleged common law
invasion of privacy and negligence claims against Appellees.
I. Invasion of Privacy arising from Unauthorized Access of Plaintiff’s Medical Records
51. Plaintiff incorporates all preceding paragraphs as if fully set forth herein.
52. Plaintiff’s privacy was unreasonably intruded upon when employees and agents of UofL Health accessed Plaintiff’s protected health information without permission.
53. The unauthorized intrusion upon Plaintiff’s protected health information was highly offensive to Plaintiff and a reasonable person would find such intrusion to be highly offensive.
54. Defendants, through their actions described herein, invaded Mr. Ledford’s well-established right to privacy.
55. Plaintiff was directly injured by Defendants’ unauthorized intrusion upon his protected health information and medical records and Plaintiff’s injury was foreseeable. There exists a causal connection between Plaintiff’s injury and Defendants’ actions.
56. As a direct and proximate cause of Defendants’ actions described herein, Plaintiff has suffered from a loss of income and benefits, emotional stress, and mental anxiety, for all of which he should be compensated.
-5- II. Negligence of UofL Health
57. Plaintiff incorporates all preceding paragraphs as if fully set forth herein.
58. UofL Health owed Plaintiff a duty to protect Plaintiff’s protected health information and medical records from unauthorized disclosure.
59. During the times relevant to the allegations in the Complaint, UofL Health failed to maintain and enforce an adequate and effective policy prohibiting and addressing employees’ unauthorized access to Mr. Ledford’s protected health information and medical records.
60. As a result of UofL Health’s failure to protect Plaintiff’s medical records from unauthorized disclosure, Plaintiff’s highly sensitive healthcare records were inappropriately accessed by his colleagues at Peace, causing Plaintiff to suffer severe, documented, emotional distress.
61. As a direct and proximate result of UofL Health’s breach of its duties, Plaintiff suffered severe injury.
62. UofL Health’s conduct was willful, wanton, and/or wreckless [sic], and as a result, Plaintiff should recover punitive damages from UofL Health.
III. Negligence of Martha Mather
63. Plaintiff incorporates all preceding paragraphs as if fully set forth herein.
64. Ms. Mather owed Plaintiff a duty to protect Plaintiff’s protected health information and medical records from unauthorized disclosure.
-6- 65. During the times relevant to the allegations in the Complaint, Ms. Mather failed to maintain and enforce an adequate and effective policy prohibiting and addressing employees’ unauthorized access to Mr. Ledford’s protected health information and medical records.
66. As a result of Ms. Mather’s failure to protect Plaintiff’s medical records from unauthorized disclosure, Plaintiff’s highly sensitive healthcare records were inappropriately accessed by his colleagues at Peace, causing Plaintiff to suffer severe, documented, emotional distress.
67. As a direct and proximate result of Ms. Mather’s breach of her duties, Plaintiff suffered severe injury.
68. Ms. Mather’s conduct was willful, wanton, and/or reckless, and as a result, Plaintiff should recover punitive damages from Ms. Mathers [sic].
Appellees filed an answer to Mr. Ledford’s complaint denying
liability and asserting a number of affirmative defenses. Later, Appellees filed a
joint motion for judgment on the pleadings pursuant to CR3 12.03. In their
supporting memorandum, Appellees argued that regardless of the factual validity
of Mr. Ledford’s allegations, his claims were preempted by HIPAA. Mr. Ledford
responded that his common law invasion of privacy and negligence claims were
not contrary to HIPAA and therefore not preempted. Relying on Doe v. Ashland
Hospital Corporation, No. 2021-CA-0466-MR, 2022 WL 815221 (Ky. App. Mar.
3 Kentucky Rules of Civil Procedure.
-7- 18, 2022), an unpublished opinion rendered by this Court, the circuit court granted
Appellees’ CR 12.03 motion for judgment on the pleadings and dismissed Mr.
Ledford’s claims “with prejudice.”
Its order provides:
For the same reasons [as set forth in Doe v. Ashland, supra] HIPAA preempts Mr. Ledford’s claims. The allegations associated with his claims all speak to protections against unauthorized access to medical records, which is expressly addressed by HIPAA. To this end, the common law torts Mr. Ledford pursues are not “more stringent” than the standards established under HIPAA as determined by [Doe v. Ashland]. Ultimately, and like Doe [v. Ashland], [Mr. Ledford’s] tort claims cannot circumvent the effects of preclusion, as harsh as they are. Despite this conclusion, assuming Mr. Ledford’s allegations of unauthorized access could be substantiated, it would be reprehensible. One of the underlying policy considerations of HIPAA is maintaining physician patient confidentiality, which is a cornerstone medical treatment, especially that addressing mental health.
12/23/2023 Order at p. 4-5.
This appeal followed.
II. STANDARD OF REVIEW
As noted, the circuit court dismissed Mr. Ledford’s claims pursuant to
CR 12.03. It provides:
After the pleadings are closed but within such time as not to delay the trial, any party may move for judgment on the pleadings. If, on such motion, matters outside the pleading are presented to and not excluded by the court,
-8- the motion shall be treated as one for summary judgment and disposed of as provided for in Rule 56, and all parties shall be given reasonable opportunity to present all materials made pertinent to such a motion by Rule 56.
Id.
“When a party moves for judgment on the pleadings, he admits for the
purposes of his motion not only the truth of all of his adversary’s well-pleaded
allegations of fact and fair inferences therefrom, but also the untruth of all of his
own allegations which have been denied by his adversary.”4 Archer v. Citizens
Fidelity Bank & Tr. Co., 365 S.W.2d 727, 729 (Ky. 1962). As a result, “the circuit
court is not required to make any factual determination; rather, the question is
purely a matter of law.” James v. Wilson, 95 S.W.3d 875, 883-84 (Ky. App.
2002). “We review [the circuit court’s ruling on] a judgment on the pleadings de
novo.” Scott v. Forcht Bank, NA, 521 S.W.3d 591, 594 (Ky. App. 2017).
III. ANALYSIS
HIPAA, 42 U.S.C.5 § 1320(d), adopted by Congress in 1996, aims to
protect the security and privacy of health information. 45 C.F.R.6 §§ 160, 164
(2006). Congress delegated the task of creating national standards to “ensure the
4 We note that, in this case, the circuit court quite correctly adopted the factual allegations in Mr. Ledford’s complaint assuming them to be true for the purposes of deciding Appellees’ motion for judgment on the pleadings. 5 United States Code. 6 Code of Federal Regulations.
-9- integrity and confidentiality of the information” to be collected and disseminated to
the Secretary of the Department of Health and Human Services. 42 U.S.C. §
1320d-2(d)(2)(A). The regulations promulgating these standards as created by the
Department of Health and Human Services became effective on April 14, 2003,
and are collectively known as “the Privacy Rule,” which sets forth standards and
procedures for the collection and disclosure of “protected health information”
(“PHI”).7 Thus, HIPAA is a combination of the statute and the regulations adopted
under its authority.
HIPAA is silent with respect to private enforcement. And it is firmly
settled that there is no private cause of action under HIPAA, either express or
implied. Faber v. Ciox Health, LLC, 944 F.3d 593, 596-97 (6th Cir. 2019).
However, the fact that HIPAA does not provide for a private right of action does
not mean that HIPAA necessarily prohibits common law tort claims based on the
7 The Privacy Rule establishes patients’ rights and requires that health professionals implement various procedures regarding the use of and access to health care information. It prohibits “covered entities” from using and disclosing PHI except as required or permitted by the regulations. 45 C.F.R. § 164.501 and 45 C.F.R. § 160.103. There are three categories of “covered entities”: (1) health plans; (2) health care clearinghouses; and (3) health care providers. 45 C.F.R. § 160.103. The Privacy Rule prohibits covered entities from using or disclosing PHI in any form oral, written or electronic, except as permitted under the Privacy Rule. 45 C.F.R. § 164.502(a). “Use” and “disclosure” are defined very broadly. 45 C.F.R. § 164.501. “Use” includes an examination of PHI; “disclosure” includes divulging or providing access to PHI. The Privacy Rule is also centered on the concept that, when using PHI or when requesting PHI from another covered entity, a covered entity must make reasonable efforts to limit PHI to the “minimum necessary” to accomplish the intended purpose of the use, disclosure or request. 45 C.F.R. § 164.508. In other words, even if a use or disclosure of PHI is permitted, covered entities must make reasonable efforts to disclose only the minimum necessary to achieve the purpose for which it is being used or disclosed.
-10- wrongful release of confidential medical information. Shepherd v. Costco
Wholesale Corporation, 482 P.3d 390, 396 (Ariz. 2021) (collecting cases).
Whether common law causes of action predicated on the wrongful release of
confidential medical information can permissibly coexist with HIPAA is
essentially one of preemption.
The Supremacy Clause of the United States Constitution grants
Congress the power to preempt state law. Lafferty Enterprises, Inc. v.
Commonwealth, 572 S.W.3d 85, 91 (Ky. App. 2019). There are three ways state
law can be preempted by the Supremacy Clause: (1) where federal law expressly
preempts state law (express preemption); (2) where federal law has occupied the
entire field (field preemption); or (3) where there is a conflict between federal law
and state law (conflict preemption). Commonwealth ex rel. Cowan v. Telcom
Directories, Inc., 806 S.W.2d 638, 640 (Ky. 1991).
“[B]oth the HIPAA statute and its regulations use preemptive
language[.]” Murphy v. Dulay, 768 F.3d 1360, 1367 (11th Cir. 2014) (citation
omitted). When determining whether a federal statute’s preemption clause
expressly preempts state law, “we focus on the plain wording of the clause,” which
necessarily contains “the best evidence of Congress’ preemptive intent.” Chamber
of Commerce of U.S. v. Whiting, 563 U.S. 582, 594, 131 S. Ct. 1968, 1977, 179 L.
-11- Ed. 2d 1031 (2011). “The non obstante[8] provision of the Supremacy Clause
indicates that a court need look no further than the ordinary meaning of federal
law.” PLIVA, Inc. v. Mensing, 564 U.S. 604, 623, 131 S. Ct. 2567, 2580, 180 L.
Ed. 2d 580 (2011).
As noted, HIPAA itself contains an express preemption clause. It
provides:
(1) General rule
Except as provided in paragraph (2), a provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d-1 through 1320d-3 of this title, shall supersede any contrary provision of State law, including a provision of State law that requires medical or health plan records (including billing information) to be maintained or transmitted in written rather than electronic form.
(2) Exceptions
A provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d-1 through 1320d-3 of this title, shall not supersede a contrary provision of State law, if the provision of State law--
(A) is a provision the Secretary determines--
(i) is necessary--
(I) to prevent fraud and abuse;
8 Non obstante is a Latin phrase that means “notwithstanding” or “despite.”
-12- (II) to ensure appropriate State regulation of insurance and health plans;
(III) for State reporting on health care delivery or costs; or
(IV) for other purposes; or
(ii) addresses controlled substances; or
(B) subject to section 264(c)(2) of the Health Insurance Portability and Accountability Act of 1996, relates to the privacy of individually identifiable health information.
(b) Public health
Nothing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.
(c) State regulatory reporting
Nothing in this part shall limit the ability of a State to require a health plan to report, or to provide access to, information for management audits, financial audits, program monitoring and evaluation, facility licensure or certification, or individual licensure or certification.
42 U.S.C. § 1320d-7 (emphasis added). However, even where the state law in
question is contrary to HIPAA, the regulations provide that HIPAA will not
supersede it so long as the state law is “more stringent” than HIPAA. 45 C.F.R. §
160.203(b). “State law means a constitution, statute, regulation, rule, common
-13- law, or other State action having the force and effect of law.” 45 C.F.R. § 160.202
(emphasis added).
In sum, HIPAA and its regulations preempt a state law, including the
common law, if there is a conflict between HIPAA and state law and the state law
is not more stringent than the HIPAA regulation. Thus, the first task in a HIPAA
preemption case is to determine whether the state law at issue is actually contrary
to HIPAA. If the state law is not contrary to HIPAA, there is no need for further
analysis. The two laws can coexist in harmony. If the state law is contrary to
HIPAA, then, and, only then, must one consider whether the state law is more
stringent. The regulations provide that a state law is “contrary” to HIPAA when
(1) it is “impossible to comply with both the State and Federal requirements”; or
(2) “state law stands as an obstacle to the accomplishment and execution” of the
act. 45 C.F.R. § 160.202.
In Doe v. Ashland, supra, relied on by the circuit court and now the
Appellees, the court jumped to the “more stringent” requirement without
considering whether the common law causes of action before it were actually
contrary to HIPAA. As explained above, however, whether the state law is
contrary to HIPAA is the threshold determination. State laws that are not contrary
to HIPAA are not preempted. If, and only if, a state law is contrary to HIPAA
must a court then consider whether the state law is more stringent. In affirming the
-14- lower court, the Doe v. Ashland court appeared to presume the appellant’s state law
causes of action were contrary to HIPAA simply because HIPAA does not contain
its own private right of action.
Therefore, before we examine the intricacies of Mr. Ledford’s
individual common law claims, we will briefly address Appellee’s overarching
argument that any common law tort predicated on the dissemination of HIPAA
protected information must be preempted. Appellees reason that because Congress
did not create a private right of action for HIPAA violations, their intent must have
been to bar all such actions in favor of governmental enforcement.9 Appellees’
argument employs flawed reasoning, conflating the absence of a private right of
action under HIPAA with an intent to bar all related private claims.
“Ordinarily, the mere existence of a federal regulatory or enforcement
scheme . . . does not by itself imply pre-emption of state remedies.” English v.
General Elec. Co., 496 U.S. 72, 87, 110 S. Ct. 2270, 2279, 110 L. Ed. 2d 65
(1990). Thus, we cannot conclude that the mere existence of a private enforcement
mechanism means that private enforcement is contrary to HIPAA. After reviewing
HIPAA’s legislative history, the Supreme Court of Connecticut actually held the
opposite was true. Byrne v. Avery Center for Obstetrics and Gynecology, P.C.,
9 With regard to HIPAA, Congress has provided for the administrative enforcement of its provisions by the Secretary of Health and Human Services, 42 U.S.C. §§ 1320d-5, 1320d-6, as well as by State Attorneys General, 42 U.S.C. § 1320d-5(d).
-15- 102 A.3d 32, 46 (Conn. 2014) (“[T]he regulatory history of the HIPAA
demonstrates that neither HIPAA nor its implementing regulations were intended
to preempt tort actions under state law arising out of the unauthorized release of a
plaintiff’s medical records.”). In support of its holding the Byrne court noted:
[O]ne commenter during the rulemaking process had “raised the issue of whether a private right of action is a greater penalty, since the proposed federal rule has no comparable remedy. Standards for Privacy of Individually Identifiable Health Information, 65 Fed.Reg. 82,462, 82,582 (December 28, 2000). In its administrative commentary to the final rule as promulgated in the Federal Register, the department responded to this question by stating, inter alia, that “the fact that a state law allows an individual to file [a civil action] to protect privacy does not conflict with the HIPAA penalty provisions,” namely, fines and imprisonment. (Emphasis added.) Id. This agency commentary on final rules in the Federal Register is significant evidence of regulatory intent.
Like the Byrne court, we find HIPAA’s legislative history supports
the conclusion that HIPAA itself was not intended to bar all state common law
causes of action premised on the wrongful disclosure of medical information
protected by HIPAA. See also Menorah Park Center for Senior Living v. Rolston,
173 N.E.3d 432, 441 (Ohio 2020) (“In a situation in which state law provides a
patient the potential personal recovery of damages, it is not impossible for the
covered entity to comply with both HIPAA and the state law[.]”); Lawson v.
-16- Halpern-Reiss, 212 A.3d 1213, 1217 (Ver. 2019) (“HIPAA does not preempt
causes of action arising under state common or statutory law imposing liability for
health care providers’ breaches of patient confidentiality.”); Vaughn v. Patient
First, 4:16CV39, 2016 WL 11673421, at *6 (E.D. Va. Aug. 10, 2016) (“[T]he fact
that HIPAA does not provide a private cause of action, standing alone, does not
necessarily require dismissal of a HIPAA-related negligence claim under Virginia
law.”); R.K. v. St. Mary’s Medical Center, Inc., 735 S.E.2d 715, 724 (W. Va. 2012)
(superseded by statute) (“[S]tate common-law claims for the wrongful disclosure
of medical or personal health information are not inconsistent with HIPAA. . . .
[S]uch state-law claims compliment [sic] HIPAA by enhancing the penalties for its
violation and thereby encouraging HIPAA compliance.”).
Based on the statutory language and legislative history of HIPAA, we
are firmly convinced that HIPAA does not categorically bar all state law claims
seeking redress for the wrongful disclosure of HIPAA protected information. To
the extent that Doe v. Ashland, supra, implicitly reached the opposite conclusion,
we decline to follow suit. We are at liberty to do so because Doe v. Ashland was
designated “not to be published.” RAP10 41(A) (“‘Not To Be Published’ opinions
of the Supreme Court and the Court of Appeals are not binding precedent and
citation of these opinions is disfavored.”); Johnson v. Commonwealth, 659 S.W.3d
10 Kentucky Rules of Appellate Procedure.
-17- 832, 837 (Ky. App. 2021) (citation omitted) (“[U]npublished opinions are not
binding precedent, but only persuasive authority. Therefore, we are not required to
follow their holdings.”).
We must now examine Mr. Ledford’s specific claims to determine if
the claims themselves are contrary to HIPAA. We begin with invasion of privacy,
a somewhat amorphous tort. As early as 1867, Kentucky courts began to grapple
with the concept of an individual right of privacy existing apart from one’s
property rights. See Grigsby v. Breckinridge, 65 Ky. 480, 497 (Ky. 1867); see also
W. Thomas Bunch, Kentucky’s Invasion of Privacy Tort – A Reappraisal, 56 KY.
L.J. 261 (1968). However, at that time, an independent tort specifically for
invasion of privacy had not yet been established. For the next fifty years, our
courts flirted with the notion of invasion of privacy without actually firmly holding
such a tort existed. Bunch, supra, at 261-65. In 1927, however, the Court of
Appeals11 decided Brents v. Morgan, 299 S.W. 967 (Ky. 1927), explicitly holding
for the first time that “there is a right of privacy, and that the unwarranted invasion
of such right may be made the subject of an action in tort to recover damages for
such unwarranted invasion.” Id. at 971.
Despite having been firmly established, the tort remained difficult to
precisely define. Then, in 1981, the Kentucky Supreme Court adopted the general
11 Kentucky’s highest court at the time.
-18- invasion of privacy principles found in the Restatement (Second) of Torts. McCall
v. Courier-Journal and Louisville Times Co., 623 S.W.2d 882, 887 (Ky. 1981).
The Restatement provides that: “[o]ne who intentionally intrudes, physically or
otherwise, upon the solitude or seclusion of another or his private affairs or
concerns, is subject to liability to the other for invasion of his privacy, if the
intrusion would be highly offensive to a reasonable person.” RESTATEMENT
(SECOND) OF TORTS § 652B (1977) (emphasis added). The tort “consists solely of
an intentional interference with [a person’s] interest in solitude or seclusion, either
as to his person or as to his private affairs or concerns, of a kind that would be
highly offensive to a reasonable man.” Id. at cmt. a (emphasis added). An
example highlighted in the RESTATEMENT (SECOND) was an intrusion into
someone’s privacy “by opening [a plaintiff’s] private and personal mail.” Id. cmt.
b. “The intrusion itself makes the defendant subject to liability, even though there
is no publication or other use of any kind of the . . . information outlined.” Id.
Appellees have not cited any compelling authority that convinces us
that Kentucky’s common law tort for invasion of privacy is contrary to HIPAA,
even where the privacy interest at stake concerns one’s private medical
information. Indeed, it seems to us that Kentucky’s common law tort for invasion
of privacy is consistent with HIPAA insomuch as it would prevent disclosure of
-19- private medical information without cause.12 In fact, HIPAA’s regulatory history
indicates that state privacy laws, like Kentucky’s, harmonize with HIPAA and
were actually cited as a reason for adopting HIPAA in the first instance. Standards
for Privacy of Individually Identifiable Health Information, 65 FR 82462-01 (“A
right to privacy in personal information has historically found expression in
American law. All fifty states today recognize in tort law a common law or
statutory right to privacy.”).
In sum, we hold that Mr. Ledford’s common law invasion of privacy
claim is not contrary to HIPAA. It is not impossible for Appellees to comply with
both Kentucky’s common law privacy standards and HIPAA. Likewise,
Kentucky’s common law – at least as it relates to privacy – does not create an
obstacle to the accomplishment and execution of HIPAA and its objectives. In
fact, as HIPAA’s legislative history indicates, state privacy laws serve similar
objectives as HIPAA.
This, of course, is not to say that Mr. Ledford will ultimately prevail
on his invasion of privacy claim. Whether he will be able to do so is highly
dependent on by whom, under what circumstances, and for what purposes his
12 In Williams v. Commonwealth, 213 S.W.3d 671, 676, n.3 (Ky. 2006), the Court noted that “it [] seems self-evident that some degree of privacy exists in the procurement of health care.”
-20- information was accessed and/or disseminated, matters that have not yet been fully
explored through the discovery process.
This brings us to Mr. Ledford’s negligence claim. We note at the
outset that whether Kentucky’s common law provides a remedy for a health care
provider’s breach of its duty of confidentiality is not an issue presented in this
appeal. Thus, assuming, without deciding, that Kentucky’s common law
recognizes a negligence cause of action arising from health care providers’
breaches of patient privacy, we now undertake to consider whether such a cause of
action is contrary to HIPAA. Again, the answer is no.
To prevail on a negligence claim under Kentucky law, the plaintiff
must prove that the defendant 1) owed the plaintiff a duty of care, 2) the defendant
breached the standard of care by which his or her duty is measured, and 3) that the
breach was the legal causation of the consequent injury. Pathways, Inc. v.
Hammons, 113 S.W.3d 85, 88-89 (Ky. 2003). With some exceptions, Kentucky
courts generally adhere to the “universal duty of care”13 standard which is a
general obligation to exercise ordinary care to prevent foreseeable harm. Morgan
v. Scott, 291 S.W.3d 622, 631 (Ky. 2009) (“[W]e remain committed to the
13 “The duty does not ‘allow for new causes of action to arise that did not previously exist.’” New Albany Main Street Properties, LLC v. Stratton, 677 S.W.3d 345, 351 (Ky. 2023) (quoting Johnson v. United Parcel Serv., Inc., 326 S.W.3d 812, 815-16 (Ky. App. 2010)). It “has no meaning in Kentucky jurisprudence beyond the most general expression of negligence theory, and certainly none absent a relational context as evidenced by the circumstances of each case.” Id. (quoting Jenkins v. Best, 250 S.W.3d 680, 691 (Ky. App. 2007)).
-21- longstanding tort principle that liability based upon negligence is premised upon
the traditional prerequisites, such as proximate cause and foreseeability.”). For a
common law negligence claim, the standard of care is that which “a reasonably
prudent person would exercise under the circumstances.” Joiner v. Tran & P
Properties, LLC, 526 S.W.3d 94, 100 (Ky. App. 2017).
When discussing duty and breach of the standard of care, it is
important to distinguish between ordinary, common law negligence claims and
negligence per se claims. Mr. Ledford is pursuing an ordinary, common law
negligence claim, not a negligence per se claim predicated solely on Appellees’
violation of HIPAA. This is a significant distinction.
There is a difference between using a statute to establish the standard of care in an ordinary negligence claim and using the violation of a statute to establish the duty and breach of duty in a negligence per se claim. Negligence per se uses a statutory violation to establish duty and breach of duty. Rayfield v. S.C. Dep’t of Corr., 297 S.C. 95, 374 S.E.2d 910, 914-15 (S.C. Ct. App. 1988). In contrast, if a statute is used to establish[] a standard of care, there must be some independent duty because “[o]nly when there is a duty would a standard of care need to be established.” Doe ex rel. Doe v. Wal-Mart Stores, Inc., 393 S.C. 240, 711 S.E.2d 908, 912 (2011).
J.R. v. Walgreens Boots All., Inc., 470 F. Supp. 3d 534, 554 (D.S.C. 2020), aff’d,
2021 WL 4859603 (4th Cir. Oct. 19, 2021).
-22- In Young v. Carran, 289 S.W.3d 586, 587 (Ky. App. 2008), our Court
held that a plaintiff could not utilize KRS14 446.070, Kentucky’s negligence per se
statute,15 to seek redress for an alleged HIPAA violation. The Court explained that
Young’s claim failed because “KRS 446.070 is limited to Kentucky statutes and
does not extend to federal statutes and regulations or local ordinances.” 289
S.W.3d at 589. In so holding, however, we pointed that there is a difference
between using a federal statute to inform the standard of care for purposes of a
common law negligence action and bringing a KRS 446.070 negligence per se
claim claiming an actual violation of the statute. Id. at 589.
For example, in T & M Jewelry, Inc. v. Hicks ex rel. Hicks, 189
S.W.3d 526 (Ky. 2006), the Kentucky Supreme Court addressed negligence claims
arising from the sale of a handgun to an 18-year-old by a federally licensed gun
dealer, The Castle. After purchasing the handgun, the buyer accidentally shot his
girlfriend, Jennifer Hicks. The court upheld summary judgment against the
negligence per se claims, citing the lack of a private civil remedy under the Federal
Gun Control Act. However, it allowed common law negligence claims to proceed,
14 Kentucky Revised Statutes. 15 KRS 446.070 provides: “A person injured by the violation of any statute may recover from the offender such damages as he sustained by reason of the violation, although a penalty or forfeiture is imposed for such violation.” Id.
-23- noting that the plaintiff could rely, at least in part, on the Federal Gun Control Act,
to inform the jury as to the proper standard of care. Id. at 532.
The fact that Mr. Ledford’s private information may be protected
under HIPAA does not mean he has attempted to plead a private right of action
under HIPAA. Though Mr. Ledford’s privacy interests in his medical records may
overlap with the rights assured by HIPAA, HIPAA does not subsume all other
legal authority relating to the right to privacy merely because the privacy violated
relates to medical information. And, having reviewed Kentucky’s negligence law,
we do not see how such an action, if authorized under Kentucky’s common law,
would be in any way contrary to HIPAA. Henry v. Community Healthcare System
Community Hospital, 134 N.E.3d 435, 437 (Ind. Ct. App. 2019).
In conclusion, we hold that neither Mr. Ledford’s Kentucky common
law claim for invasion of privacy, nor his negligence claim, is preempted by
HIPAA. Our opinion in this regard should not be construed as a determination that
Mr. Ledford’s invasion of privacy claim will ultimately prevail or that a negligence
claim for the disclosure of confidential medical information exists in Kentucky.
As to the former, the factual record is not sufficiently developed; and as for the
latter, that issue has not been raised or briefed by the parties. Our opinion today is
simply that to the extent such claims exist and are factually viable, they are not
preempted by HIPAA.
-24- IV. CONCLUSION
For the reasons set forth above, we reverse the Jefferson Circuit
Court’s December 30, 2023 order dismissing Mr. Ledford’s claims with prejudice
and remand this matter for further proceedings.
ALL CONCUR.
BRIEFS AND ORAL ARGUMENT BRIEF FOR APPELLEES: FOR APPELLANT: Chelsea Granville Reed P. Stewart Abney Brent R. Baughman Louisville, Kentucky Aaron W. Marcus Ryne E. Tipton Louisville, Kentucky
ORAL ARGUMENT FOR APPELLEE:
Brent R. Baughman Louisville, Kentucky
-25-