The North Carolina Business Court reaffirmed this spring an earlier decision holding that health care entities in North Carolina have a common law duty to protect patient information independent of requirements under the Health Insurance Portability and Accountability Act (HIPAA). The court further held that HIPAA informs the standard of care for North Carolina health care providers, regardless of whether the entity is a covered entity under the law. The ruling reaffirms existing privacy obligations under state common law and underscores how health care providers in North Carolina and their business associates must handle patient data. 

HIPAA is the federal law that sets standards for protecting sensitive patient health information from unauthorized disclosure. It applies to covered entities, including health care providers that electronically transmit certain health information using standardized transactions and their business associates, and obligates covered entities to implement safeguards to ensure confidentiality, integrity, and security of protected health information (PHI).

In Rodriguez v. FastMed Urgent Care Inc., the plaintiff filed a class action against FastMed Urgent Care, alleging FastMed embedded a social media platform’s web and tracking tool into its website and patient portal without patient consent. These tools allegedly transmitted sensitive health information to the social media company, allowing the company to link the confidential medical data to the plaintiff’s personal social media account and sell it to advertisers. Rodriguez’s claims against FastMed included one federal claim and three state law claims. While the federal claim was dismissed on a motion by FastMed, the three state law claims survived, necessitating that the court opine on a health care entity’s obligation to protect PHI under state law.   

In its decision, the court analyzed whether FastMed was required to protect plaintiff’s health information under North Carolina law. The court relied on established precedent to affirm that all North Carolina health care providers owe a common law duty to protect patient information. Citing Acosta v. Byrum and additional precedent upholding the duty to protect private patient health information, the court emphasized the longstanding duties under state common law to safeguard patient health information. 

Implications for Covered Entities

The Rodriguez decision reaffirmed that health care providers owe a general duty of care to patients in maintaining the confidentiality of their information. While HIPAA already imposes obligations on covered entities, the ruling highlights the importance for all health care providers in North Carolina — regardless of covered entity status under HIPAA — to implement and maintain robust privacy safeguards. 

Implications for Non-Covered Entities

Non-covered entities in North Carolina may be liable under state common law claims, including negligence, invasion of privacy, and contractual liability, for the unauthorized disclosure of patient data. While non-covered entities are not bound by the requirements of HIPAA, given the court’s holding in Rodriguez, organizations and providers that collect or use sensitive health information should consider adopting HIPAA-informed practices to ensure proper patient privacy protection and insulate themselves from potential liability. 

Implications for Other Entities

The holding in Rodriguez is not limited to covered or non-covered health care providers. Rather, the court’s reasoning suggests that privacy obligations extend more broadly to organizations that create, maintain, or transmit sensitive patient information. This could include not only designated business associates, but also other contractors, vendors, and entities that, through their operations, handle protected health information.  

Recommendations for Entities Handling Patient Health Data

In light of the Rodriguez ruling, which states that HIPAA informs the standard of care under state law, entities handling patient health data should consider aligning their privacy and security practices with HIPAA requirements. In order to mitigate the risk of privacy breaches and avoid liability under state law, entities may consider implementing reasonable security measures such as: 

• Utilizing encryption, access controls, and secure storage mechanisms.
   
• Requesting documentation of HIPAA compliance from third-party vendors.
   
• Avoiding collection of PHI or sensitive data without explicit patient consent. 

The Rodriguez decision reaffirms that HIPAA informs the standard of care for health care providers and other organizations handling patient information in North Carolina, regardless of their status as a HIPAA-covered entity, and cautions that even passive data collection through embedded web tools may expose providers to liability. In an era of rapidly evolving digital technologies and data-sharing practices, safeguarding patient information demands heightened vigilance. Providers and organizations handling sensitive health data should proactively evaluate their use of third-party technologies, reinforce privacy safeguards, and ensure that all security measures align with HIPAA.

Lynne Imamura also contributed to this alert as part of her summer clerkship at Parker Poe.

For more information, please contact us or your regular Parker Poe contact. Click here to subscribe to our latest alerts and insights.