RENDERED: JANUARY 31, 2025; 10:00 A.M.

TO BE PUBLISHED Commonwealth of Kentucky Court of Appeals NO. 2024-CA-0022-MR WYATT LEDFORD APPELLANT

APPEAL FROM JEFFERSON CIRCUIT COURT v. HONORABLE PATRICIA MORRIS, JUDGE ACTION NO. 21-CI-006141

UOFL HEALTH-LOUISVILLE, INC.; JESSICA DAWN CAMPBELL; MARTHA MATHER; AND UOFL HEALTH, INC. APPELLEES

OPINION REVERSING AND REMANDING ** ** ** ** ** BEFORE: CETRULO, COMBS, AND A. JONES, JUDGES.

JONES, A., JUDGE: The Appellant, Wyatt Ledford, brings this appeal from the Jefferson Circuit Court’s order dismissing his common law invasion of privacy and negligence claims against UofL Health-Louisville, Inc., Jessica Dawn Campbell, Martha Mather, and UofL Health, Inc. (collectively referred to herein as “Appellees”) with prejudice. The circuit court determined that the claims were preempted by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Having reviewed the record and being sufficiently advised, we reverse and remand.

I. BACKGROUND Peace Hospital (“Peace”) is a private, not-for-profit behavioral health care hospital owned and operated by UofL Health. Mr. Ledford, a transgender man, was employed at Peace from August 2018 until October 30, 2020.1 During this period, Mr. Ledford also volunteered at Peace, leading group therapy sessions twice weekly.

In October 2020, after the death of a family member, Mr. Ledford began experiencing suicidal ideations. On October 21, 2020, a friend took Mr. Ledford to Norton’s Hospital in Louisville, Kentucky, where he was admitted as a psychiatric patient. Dissatisfied with his care, Mr. Ledford discharged himself on October 24, 2020, and sought treatment at Baptist Healthcare East (“Baptist”).

Baptist determined Mr. Ledford needed psychiatric admission, but it lacked available beds. Baptist staff advised Mr. Ledford that Peace was the only nearby facility that could meet his care needs.

Initially, Mr. Ledford worked at Peace from August 2018 until April 2020. He resumed part- time work at Peace in August 2020 and remained employed until he resigned on October 30, 2020.

-2- Mr. Ledford was hesitant to seek treatment at Peace due to his professional ties with the staff there but after consulting his colleague, Dr. Sunil Chhibber, he decided to proceed. Upon arriving at Peace on October 24, 2020, Mr. Ledford identified himself as a transgender male. Peace staff informed him that because he was transgendered, Peace policy required him to be placed in a private room; however, no private rooms were available at that time. Mr. Ledford was asked to wait in a public area until a private room became available.

Eighteen hours later, Mr. Ledford was assigned to a room on the 1- Lourdes Unit, where he routinely worked as a therapist. Concerned about professional boundaries, Mr. Ledford requested placement in another unit, but Peace staff refused to accommodate his request at that time. As a result, Mr. Ledford was admitted to the 1-Lourdes Unit and attended group therapy alongside patients he had previously led in a professional capacity just a few days prior.

On October 26, 2020, Lead Clinician Mary Skaggs informed Mr. Ledford that he was being transferred to the 2-East Unit. Two days later, Peace staff allegedly told Mr. Ledford that his medical records had been improperly accessed by employees outside his treatment team. Mr. Ledford asserts that his records contained sensitive information about his mental health and past traumas, and that their unauthorized access by his co-workers caused him significant distress.

-3- Mr. Ledford was discharged from in-patient care at Peace on October 29, 2020. Believing the alleged privacy violations left him no choice, Mr. Ledford resigned his employment with Peace the next day. In his resignation letter to Peace Chief Administrative Officer Martha Mather and University of Louisville President Neeli Bendapudi, Mr. Ledford cited these experiences as his reasons for leaving.

After resigning, Mr. Ledford was allegedly informed that numerous Peace employees outside his care team accessed and printed his medical records, further compounding his distress. For example, Mr. Ledford asserts that four days after his discharge, Jessica Dawn Campbell, Peace’s Director of Patient Intake and Mr. Ledford’s supervisor, printed Mr. Ledford’s Peace Needs Assessment on several occasions. He further alleges that over the coming days, he learned that his electronic medical records had been accessed numerous times from locations outside the units he was assigned during his stay such as private offices, a pediatric unit, and a unit for the severely mentally ill. On October 27, 2021, Mr. Ledford filed a complaint against Peace and two of its personnel, Martha Mather and Jessica Dawn Campbell.2 In Paragraph

Mr. Ledford’s complaint also named certain “unidentified John and Jane Does” who he asserts “are employees and/or agents of UofL Health who accessed [his] protected health information and medical records without authorization and with no medically necessary reason related to [his] treatment at Peace.” Mr. Ledford explained that as he obtained additional information through discovery, he would amend his complaint to add these specific individuals by name.

-4- seven of his complaint, Mr. Ledford asserted that all causes of action were being “brought pursuant to the common law of the Commonwealth of Kentucky.”

After laying out the factual basis for his claims, Mr. Ledford alleged common law invasion of privacy and negligence claims against Appellees.

I. Invasion of Privacy arising from Unauthorized Access of Plaintiff’s Medical Records 51. Plaintiff incorporates all preceding paragraphs as if fully set forth herein.

52. Plaintiff’s privacy was unreasonably intruded upon when employees and agents of UofL Health accessed Plaintiff’s protected health information without permission.

53. The unauthorized intrusion upon Plaintiff’s protected health information was highly offensive to Plaintiff and a reasonable person would find such intrusion to be highly offensive.

54. Defendants, through their actions described herein, invaded Mr. Ledford’s well-established right to privacy.

55. Plaintiff was directly injured by Defendants’ unauthorized intrusion upon his protected health information and medical records and Plaintiff’s injury was foreseeable. There exists a causal connection between Plaintiff’s injury and Defendants’ actions.

56. As a direct and proximate cause of Defendants’ actions described herein, Plaintiff has suffered from a loss of income and benefits, emotional stress, and mental anxiety, for all of which he should be compensated.

-5- II. Negligence of UofL Health 57. Plaintiff incorporates all preceding paragraphs as if fully set forth herein.

58. UofL Health owed Plaintiff a duty to protect Plaintiff’s protected health information and medical records from unauthorized disclosure.

59. During the times relevant to the allegations in the Complaint, UofL Health failed to maintain and enforce an adequate and effective policy prohibiting and addressing employees’ unauthorized access to Mr. Ledford’s protected health information and medical records.

60. As a result of UofL Health’s failure to protect Plaintiff’s medical records from unauthorized disclosure, Plaintiff’s highly sensitive healthcare records were inappropriately accessed by his colleagues at Peace, causing Plaintiff to suffer severe, documented, emotional distress.

61. As a direct and proximate result of UofL Health’s breach of its duties, Plaintiff suffered severe injury.

62. UofL Health’s conduct was willful, wanton, and/or wreckless [sic], and as a result, Plaintiff should recover punitive damages from UofL Health.

III. Negligence of Martha Mather 63. Plaintiff incorporates all preceding paragraphs as if fully set forth herein.

64. Ms. Mather owed Plaintiff a duty to protect Plaintiff’s protected health information and medical records from unauthorized disclosure.

-6- 65. During the times relevant to the allegations in the Complaint, Ms. Mather failed to maintain and enforce an adequate and effective policy prohibiting and addressing employees’ unauthorized access to Mr. Ledford’s protected health information and medical records.

66. As a result of Ms. Mather’s failure to protect Plaintiff’s medical records from unauthorized disclosure, Plaintiff’s highly sensitive healthcare records were inappropriately accessed by his colleagues at Peace, causing Plaintiff to suffer severe, documented, emotional distress.

67. As a direct and proximate result of Ms. Mather’s breach of her duties, Plaintiff suffered severe injury.

68. Ms. Mather’s conduct was willful, wanton, and/or reckless, and as a result, Plaintiff should recover punitive damages from Ms. Mathers [sic].

Appellees filed an answer to Mr. Ledford’s complaint denying liability and asserting a number of affirmative defenses. Later, Appellees filed a joint motion for judgment on the pleadings pursuant to CR3 12.03. In their supporting memorandum, Appellees argued that regardless of the factual validity of Mr. Ledford’s allegations, his claims were preempted by HIPAA. Mr. Ledford responded that his common law invasion of privacy and negligence claims were not contrary to HIPAA and therefore not preempted. Relying on Doe v. Ashland Hospital Corporation, No. 2021-CA-0466-MR, 2022 WL 815221 (Ky. App. Mar.

Kentucky Rules of Civil Procedure.

-7- 18, 2022), an unpublished opinion rendered by this Court, the circuit court granted Appellees’ CR 12.03 motion for judgment on the pleadings and dismissed Mr. Ledford’s claims “with prejudice.”

Its order provides: For the same reasons [as set forth in Doe v. Ashland, supra] HIPAA preempts Mr. Ledford’s claims. The allegations associated with his claims all speak to protections against unauthorized access to medical records, which is expressly addressed by HIPAA. To this end, the common law torts Mr. Ledford pursues are not “more stringent” than the standards established under HIPAA as determined by [Doe v. Ashland]. Ultimately, and like Doe [v. Ashland], [Mr. Ledford’s] tort claims cannot circumvent the effects of preclusion, as harsh as they are. Despite this conclusion, assuming Mr. Ledford’s allegations of unauthorized access could be substantiated, it would be reprehensible. One of the underlying policy considerations of HIPAA is maintaining physician patient confidentiality, which is a cornerstone medical treatment, especially that addressing mental health.

12/23/2023 Order at p. 4-5.

This appeal followed.

II. STANDARD OF REVIEW As noted, the circuit court dismissed Mr. Ledford’s claims pursuant to CR 12.03. It provides: After the pleadings are closed but within such time as not to delay the trial, any party may move for judgment on the pleadings. If, on such motion, matters outside the pleading are presented to and not excluded by the court, -8- the motion shall be treated as one for summary judgment and disposed of as provided for in Rule 56, and all parties shall be given reasonable opportunity to present all materials made pertinent to such a motion by Rule 56.

Id. “When a party moves for judgment on the pleadings, he admits for the purposes of his motion not only the truth of all of his adversary’s well-pleaded allegations of fact and fair inferences therefrom, but also the untruth of all of his own allegations which have been denied by his adversary.”4 Archer v. Citizens Fidelity Bank & Tr. Co., 365 S.W.2d 727, 729 (Ky. 1962). As a result, “the circuit court is not required to make any factual determination; rather, the question is purely a matter of law.” James v. Wilson, 95 S.W.3d 875, 883-84 (Ky. App. 2002). “We review [the circuit court’s ruling on] a judgment on the pleadings de novo.” Scott v. Forcht Bank, NA, 521 S.W.3d 591, 594 (Ky. App. 2017).

III. ANALYSIS HIPAA, 42 U.S.C.5 § 1320(d), adopted by Congress in 1996, aims to protect the security and privacy of health information. 45 C.F.R.6 §§ 160, 164 (2006). Congress delegated the task of creating national standards to “ensure the

We note that, in this case, the circuit court quite correctly adopted the factual allegations in Mr. Ledford’s complaint assuming them to be true for the purposes of deciding Appellees’ motion for judgment on the pleadings.

United States Code. Code of Federal Regulations.

-9- integrity and confidentiality of the information” to be collected and disseminated to the Secretary of the Department of Health and Human Services. 42 U.S.C. § 1320d-2(d)(2)(A). The regulations promulgating these standards as created by the Department of Health and Human Services became effective on April 14, 2003, and are collectively known as “the Privacy Rule,” which sets forth standards and procedures for the collection and disclosure of “protected health information” (“PHI”).7 Thus, HIPAA is a combination of the statute and the regulations adopted under its authority.

HIPAA is silent with respect to private enforcement. And it is firmly settled that there is no private cause of action under HIPAA, either express or implied. Faber v. Ciox Health, LLC, 944 F.3d 593, 596-97 (6th Cir. 2019).

However, the fact that HIPAA does not provide for a private right of action does not mean that HIPAA necessarily prohibits common law tort claims based on the

The Privacy Rule establishes patients’ rights and requires that health professionals implement various procedures regarding the use of and access to health care information. It prohibits “covered entities” from using and disclosing PHI except as required or permitted by the regulations. 45 C.F.R. § 164.501 and 45 C.F.R. § 160.103. There are three categories of “covered entities”: (1) health plans; (2) health care clearinghouses; and (3) health care providers. 45 C.F.R. § 160.103. The Privacy Rule prohibits covered entities from using or disclosing PHI in any form oral, written or electronic, except as permitted under the Privacy Rule. 45 C.F.R. § 164.502(a). “Use” and “disclosure” are defined very broadly. 45 C.F.R. § 164.501. “Use” includes an examination of PHI; “disclosure” includes divulging or providing access to PHI.

The Privacy Rule is also centered on the concept that, when using PHI or when requesting PHI from another covered entity, a covered entity must make reasonable efforts to limit PHI to the “minimum necessary” to accomplish the intended purpose of the use, disclosure or request. 45 C.F.R. § 164.508. In other words, even if a use or disclosure of PHI is permitted, covered entities must make reasonable efforts to disclose only the minimum necessary to achieve the purpose for which it is being used or disclosed.

-10- wrongful release of confidential medical information. Shepherd v. Costco Wholesale Corporation, 482 P.3d 390, 396 (Ariz. 2021) (collecting cases).

Whether common law causes of action predicated on the wrongful release of confidential medical information can permissibly coexist with HIPAA is essentially one of preemption.

The Supremacy Clause of the United States Constitution grants Congress the power to preempt state law. Lafferty Enterprises, Inc. v. Commonwealth, 572 S.W.3d 85, 91 (Ky. App. 2019). There are three ways state law can be preempted by the Supremacy Clause: (1) where federal law expressly preempts state law (express preemption); (2) where federal law has occupied the entire field (field preemption); or (3) where there is a conflict between federal law and state law (conflict preemption). Commonwealth ex rel. Cowan v. Telcom Directories, Inc., 806 S.W.2d 638, 640 (Ky. 1991).

“[B]oth the HIPAA statute and its regulations use preemptive language[.]” Murphy v. Dulay, 768 F.3d 1360, 1367 (11th Cir. 2014) (citation omitted). When determining whether a federal statute’s preemption clause expressly preempts state law, “we focus on the plain wording of the clause,” which necessarily contains “the best evidence of Congress’ preemptive intent.” Chamber of Commerce of U.S. v. Whiting, 563 U.S. 582, 594, 131 S. Ct. 1968, 1977, 179 L.

-11- Ed. 2d 1031 (2011). “The non obstante[8] provision of the Supremacy Clause indicates that a court need look no further than the ordinary meaning of federal law.” PLIVA, Inc. v. Mensing, 564 U.S. 604, 623, 131 S. Ct. 2567, 2580, 180 L. Ed. 2d 580 (2011).

As noted, HIPAA itself contains an express preemption clause. It provides: (1) General rule Except as provided in paragraph (2), a provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d-1 through 1320d-3 of this title, shall supersede any contrary provision of State law, including a provision of State law that requires medical or health plan records (including billing information) to be maintained or transmitted in written rather than electronic form.

(2) Exceptions A provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d-1 through 1320d-3 of this title, shall not supersede a contrary provision of State law, if the provision of State law-- (A) is a provision the Secretary determines-- (i) is necessary-- (I) to prevent fraud and abuse;

Non obstante is a Latin phrase that means “notwithstanding” or “despite.”

-12- (II) to ensure appropriate State regulation of insurance and health plans; (III) for State reporting on health care delivery or costs; or (IV) for other purposes; or (ii) addresses controlled substances; or (B) subject to section 264(c)(2) of the Health Insurance Portability and Accountability Act of 1996, relates to the privacy of individually identifiable health information.

(b) Public health Nothing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.

(c) State regulatory reporting Nothing in this part shall limit the ability of a State to require a health plan to report, or to provide access to, information for management audits, financial audits, program monitoring and evaluation, facility licensure or certification, or individual licensure or certification.

42 U.S.C. § 1320d-7 (emphasis added). However, even where the state law in question is contrary to HIPAA, the regulations provide that HIPAA will not supersede it so long as the state law is “more stringent” than HIPAA. 45 C.F.R. § 160.203(b). “State law means a constitution, statute, regulation, rule, common

-13- law, or other State action having the force and effect of law.” 45 C.F.R. § 160.202 (emphasis added).

In sum, HIPAA and its regulations preempt a state law, including the common law, if there is a conflict between HIPAA and state law and the state law is not more stringent than the HIPAA regulation. Thus, the first task in a HIPAA preemption case is to determine whether the state law at issue is actually contrary to HIPAA. If the state law is not contrary to HIPAA, there is no need for further analysis. The two laws can coexist in harmony. If the state law is contrary to HIPAA, then, and, only then, must one consider whether the state law is more stringent. The regulations provide that a state law is “contrary” to HIPAA when (1) it is “impossible to comply with both the State and Federal requirements”; or (2) “state law stands as an obstacle to the accomplishment and execution” of the act. 45 C.F.R. § 160.202.

In Doe v. Ashland, supra, relied on by the circuit court and now the Appellees, the court jumped to the “more stringent” requirement without considering whether the common law causes of action before it were actually contrary to HIPAA. As explained above, however, whether the state law is contrary to HIPAA is the threshold determination. State laws that are not contrary to HIPAA are not preempted. If, and only if, a state law is contrary to HIPAA must a court then consider whether the state law is more stringent. In affirming the

-14- lower court, the Doe v. Ashland court appeared to presume the appellant’s state law causes of action were contrary to HIPAA simply because HIPAA does not contain its own private right of action.

Therefore, before we examine the intricacies of Mr. Ledford’s individual common law claims, we will briefly address Appellee’s overarching argument that any common law tort predicated on the dissemination of HIPAA protected information must be preempted. Appellees reason that because Congress did not create a private right of action for HIPAA violations, their intent must have been to bar all such actions in favor of governmental enforcement.9 Appellees’ argument employs flawed reasoning, conflating the absence of a private right of action under HIPAA with an intent to bar all related private claims.

“Ordinarily, the mere existence of a federal regulatory or enforcement scheme . . . does not by itself imply pre-emption of state remedies.” English v. General Elec. Co., 496 U.S. 72, 87, 110 S. Ct. 2270, 2279, 110 L. Ed. 2d 65 (1990). Thus, we cannot conclude that the mere existence of a private enforcement mechanism means that private enforcement is contrary to HIPAA. After reviewing HIPAA’s legislative history, the Supreme Court of Connecticut actually held the opposite was true. Byrne v. Avery Center for Obstetrics and Gynecology, P.C.,

With regard to HIPAA, Congress has provided for the administrative enforcement of its provisions by the Secretary of Health and Human Services, 42 U.S.C. §§ 1320d-5, 1320d-6, as well as by State Attorneys General, 42 U.S.C. § 1320d-5(d).

-15- 102 A.3d 32, 46 (Conn. 2014) (“[T]he regulatory history of the HIPAA demonstrates that neither HIPAA nor its implementing regulations were intended to preempt tort actions under state law arising out of the unauthorized release of a plaintiff’s medical records.”). In support of its holding the Byrne court noted: [O]ne commenter during the rulemaking process had “raised the issue of whether a private right of action is a greater penalty, since the proposed federal rule has no comparable remedy. Standards for Privacy of Individually Identifiable Health Information, 65 Fed.Reg. 82,462, 82,582 (December 28, 2000). In its administrative commentary to the final rule as promulgated in the Federal Register, the department responded to this question by stating, inter alia, that “the fact that a state law allows an individual to file [a civil action] to protect privacy does not conflict with the HIPAA penalty provisions,” namely, fines and imprisonment. (Emphasis added.) Id. This agency commentary on final rules in the Federal Register is significant evidence of regulatory intent.

Id. Like the Byrne court, we find HIPAA’s legislative history supports the conclusion that HIPAA itself was not intended to bar all state common law causes of action premised on the wrongful disclosure of medical information protected by HIPAA. See also Menorah Park Center for Senior Living v. Rolston, 173 N.E.3d 432, 441 (Ohio 2020) (“In a situation in which state law provides a patient the potential personal recovery of damages, it is not impossible for the covered entity to comply with both HIPAA and the state law[.]”); Lawson v.

-16- Halpern-Reiss, 212 A.3d 1213, 1217 (Ver. 2019) (“HIPAA does not preempt causes of action arising under state common or statutory law imposing liability for health care providers’ breaches of patient confidentiality.”); Vaughn v. Patient First, 4:16CV39, 2016 WL 11673421, at *6 (E.D. Va. Aug. 10, 2016) (“[T]he fact that HIPAA does not provide a private cause of action, standing alone, does not necessarily require dismissal of a HIPAA-related negligence claim under Virginia law.”); R.K. v. St. Mary’s Medical Center, Inc., 735 S.E.2d 715, 724 (W. Va. 2012) (superseded by statute) (“[S]tate common-law claims for the wrongful disclosure of medical or personal health information are not inconsistent with HIPAA. . . . [S]uch state-law claims compliment [sic] HIPAA by enhancing the penalties for its violation and thereby encouraging HIPAA compliance.”).

Based on the statutory language and legislative history of HIPAA, we are firmly convinced that HIPAA does not categorically bar all state law claims seeking redress for the wrongful disclosure of HIPAA protected information. To the extent that Doe v. Ashland, supra, implicitly reached the opposite conclusion, we decline to follow suit. We are at liberty to do so because Doe v. Ashland was designated “not to be published.” RAP10 41(A) (“‘Not To Be Published’ opinions of the Supreme Court and the Court of Appeals are not binding precedent and citation of these opinions is disfavored.”); Johnson v. Commonwealth, 659 S.W.3d

10 Kentucky Rules of Appellate Procedure.

-17- 832, 837 (Ky. App. 2021) (citation omitted) (“[U]npublished opinions are not binding precedent, but only persuasive authority. Therefore, we are not required to follow their holdings.”).

We must now examine Mr. Ledford’s specific claims to determine if the claims themselves are contrary to HIPAA. We begin with invasion of privacy, a somewhat amorphous tort. As early as 1867, Kentucky courts began to grapple with the concept of an individual right of privacy existing apart from one’s property rights. See Grigsby v. Breckinridge, 65 Ky. 480, 497 (Ky. 1867); see also W. Thomas Bunch, Kentucky’s Invasion of Privacy Tort – A Reappraisal, 56 KY. L.J. 261 (1968). However, at that time, an independent tort specifically for invasion of privacy had not yet been established. For the next fifty years, our courts flirted with the notion of invasion of privacy without actually firmly holding such a tort existed. Bunch, supra, at 261-65. In 1927, however, the Court of Appeals11 decided Brents v. Morgan, 299 S.W. 967 (Ky. 1927), explicitly holding for the first time that “there is a right of privacy, and that the unwarranted invasion of such right may be made the subject of an action in tort to recover damages for such unwarranted invasion.” Id. at 971.

Despite having been firmly established, the tort remained difficult to precisely define. Then, in 1981, the Kentucky Supreme Court adopted the general

Kentucky’s highest court at the time.

-18- invasion of privacy principles found in the Restatement (Second) of Torts. McCall v. Courier-Journal and Louisville Times Co., 623 S.W.2d 882, 887 (Ky. 1981).

The Restatement provides that: “[o]ne who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.” RESTATEMENT (SECOND) OF TORTS § 652B (1977) (emphasis added). The tort “consists solely of an intentional interference with [a person’s] interest in solitude or seclusion, either as to his person or as to his private affairs or concerns, of a kind that would be highly offensive to a reasonable man.” Id. at cmt. a (emphasis added). An example highlighted in the RESTATEMENT (SECOND) was an intrusion into someone’s privacy “by opening [a plaintiff’s] private and personal mail.” Id. cmt. b. “The intrusion itself makes the defendant subject to liability, even though there is no publication or other use of any kind of the . . . information outlined.” Id. Appellees have not cited any compelling authority that convinces us that Kentucky’s common law tort for invasion of privacy is contrary to HIPAA, even where the privacy interest at stake concerns one’s private medical information. Indeed, it seems to us that Kentucky’s common law tort for invasion of privacy is consistent with HIPAA insomuch as it would prevent disclosure of

-19- private medical information without cause.12 In fact, HIPAA’s regulatory history indicates that state privacy laws, like Kentucky’s, harmonize with HIPAA and were actually cited as a reason for adopting HIPAA in the first instance. Standards for Privacy of Individually Identifiable Health Information, 65 FR 82462-01 (“A right to privacy in personal information has historically found expression in American law. All fifty states today recognize in tort law a common law or statutory right to privacy.”).

In sum, we hold that Mr. Ledford’s common law invasion of privacy claim is not contrary to HIPAA. It is not impossible for Appellees to comply with both Kentucky’s common law privacy standards and HIPAA. Likewise, Kentucky’s common law – at least as it relates to privacy – does not create an obstacle to the accomplishment and execution of HIPAA and its objectives. In fact, as HIPAA’s legislative history indicates, state privacy laws serve similar objectives as HIPAA.

This, of course, is not to say that Mr. Ledford will ultimately prevail on his invasion of privacy claim. Whether he will be able to do so is highly dependent on by whom, under what circumstances, and for what purposes his

In Williams v. Commonwealth, 213 S.W.3d 671, 676, n.3 (Ky. 2006), the Court noted that “it [] seems self-evident that some degree of privacy exists in the procurement of health care.”

-20- information was accessed and/or disseminated, matters that have not yet been fully explored through the discovery process.

This brings us to Mr. Ledford’s negligence claim. We note at the outset that whether Kentucky’s common law provides a remedy for a health care provider’s breach of its duty of confidentiality is not an issue presented in this appeal. Thus, assuming, without deciding, that Kentucky’s common law recognizes a negligence cause of action arising from health care providers’ breaches of patient privacy, we now undertake to consider whether such a cause of action is contrary to HIPAA. Again, the answer is no. To prevail on a negligence claim under Kentucky law, the plaintiff must prove that the defendant 1) owed the plaintiff a duty of care, 2) the defendant breached the standard of care by which his or her duty is measured, and 3) that the breach was the legal causation of the consequent injury. Pathways, Inc. v. Hammons, 113 S.W.3d 85, 88-89 (Ky. 2003). With some exceptions, Kentucky courts generally adhere to the “universal duty of care”13 standard which is a general obligation to exercise ordinary care to prevent foreseeable harm. Morgan v. Scott, 291 S.W.3d 622, 631 (Ky. 2009) (“[W]e remain committed to the

“The duty does not ‘allow for new causes of action to arise that did not previously exist.’”

New Albany Main Street Properties, LLC v. Stratton, 677 S.W.3d 345, 351 (Ky. 2023) (quoting Johnson v. United Parcel Serv., Inc., 326 S.W.3d 812, 815-16 (Ky. App. 2010)). It “has no meaning in Kentucky jurisprudence beyond the most general expression of negligence theory, and certainly none absent a relational context as evidenced by the circumstances of each case.” Id. (quoting Jenkins v. Best, 250 S.W.3d 680, 691 (Ky. App. 2007)).

-21- longstanding tort principle that liability based upon negligence is premised upon the traditional prerequisites, such as proximate cause and foreseeability.”). For a common law negligence claim, the standard of care is that which “a reasonably prudent person would exercise under the circumstances.” Joiner v. Tran & P Properties, LLC, 526 S.W.3d 94, 100 (Ky. App. 2017).

When discussing duty and breach of the standard of care, it is important to distinguish between ordinary, common law negligence claims and negligence per se claims. Mr. Ledford is pursuing an ordinary, common law negligence claim, not a negligence per se claim predicated solely on Appellees’ violation of HIPAA. This is a significant distinction.

There is a difference between using a statute to establish the standard of care in an ordinary negligence claim and using the violation of a statute to establish the duty and breach of duty in a negligence per se claim. Negligence per se uses a statutory violation to establish duty and breach of duty. Rayfield v. S.C. Dep’t of Corr., 297 S.C. 95, 374 S.E.2d 910, 914-15 (S.C. Ct. App. 1988). In contrast, if a statute is used to establish[] a standard of care, there must be some independent duty because “[o]nly when there is a duty would a standard of care need to be established.” Doe ex rel. Doe v. Wal-Mart Stores, Inc., 393 S.C. 240, 711 S.E.2d 908, 912 (2011).

J.R. v. Walgreens Boots All., Inc., 470 F. Supp. 3d 534, 554 (D.S.C. 2020), aff’d, 2021 WL 4859603 (4th Cir. Oct. 19, 2021).

-22- In Young v. Carran, 289 S.W.3d 586, 587 (Ky. App. 2008), our Court held that a plaintiff could not utilize KRS14 446.070, Kentucky’s negligence per se statute,15 to seek redress for an alleged HIPAA violation. The Court explained that Young’s claim failed because “KRS 446.070 is limited to Kentucky statutes and does not extend to federal statutes and regulations or local ordinances.” 289 S.W.3d at 589. In so holding, however, we pointed that there is a difference between using a federal statute to inform the standard of care for purposes of a common law negligence action and bringing a KRS 446.070 negligence per se claim claiming an actual violation of the statute. Id. at 589.

For example, in T & M Jewelry, Inc. v. Hicks ex rel. Hicks, 189 S.W.3d 526 (Ky. 2006), the Kentucky Supreme Court addressed negligence claims arising from the sale of a handgun to an 18-year-old by a federally licensed gun dealer, The Castle. After purchasing the handgun, the buyer accidentally shot his girlfriend, Jennifer Hicks. The court upheld summary judgment against the negligence per se claims, citing the lack of a private civil remedy under the Federal Gun Control Act. However, it allowed common law negligence claims to proceed,

Kentucky Revised Statutes.

KRS 446.070 provides: “A person injured by the violation of any statute may recover from the offender such damages as he sustained by reason of the violation, although a penalty or forfeiture is imposed for such violation.” Id. -23- noting that the plaintiff could rely, at least in part, on the Federal Gun Control Act, to inform the jury as to the proper standard of care. Id. at 532.

The fact that Mr. Ledford’s private information may be protected under HIPAA does not mean he has attempted to plead a private right of action under HIPAA. Though Mr. Ledford’s privacy interests in his medical records may overlap with the rights assured by HIPAA, HIPAA does not subsume all other legal authority relating to the right to privacy merely because the privacy violated relates to medical information. And, having reviewed Kentucky’s negligence law, we do not see how such an action, if authorized under Kentucky’s common law, would be in any way contrary to HIPAA. Henry v. Community Healthcare System Community Hospital, 134 N.E.3d 435, 437 (Ind. Ct. App. 2019).

In conclusion, we hold that neither Mr. Ledford’s Kentucky common law claim for invasion of privacy, nor his negligence claim, is preempted by HIPAA. Our opinion in this regard should not be construed as a determination that Mr. Ledford’s invasion of privacy claim will ultimately prevail or that a negligence claim for the disclosure of confidential medical information exists in Kentucky.

As to the former, the factual record is not sufficiently developed; and as for the latter, that issue has not been raised or briefed by the parties. Our opinion today is simply that to the extent such claims exist and are factually viable, they are not preempted by HIPAA.

-24- IV. CONCLUSION For the reasons set forth above, we reverse the Jefferson Circuit Court’s December 30, 2023 order dismissing Mr. Ledford’s claims with prejudice and remand this matter for further proceedings.

ALL CONCUR.

BRIEFS AND ORAL ARGUMENT BRIEF FOR APPELLEES: FOR APPELLANT: Chelsea Granville Reed P. Stewart Abney Brent R. Baughman Louisville, Kentucky Aaron W. Marcus Ryne E. Tipton Louisville, Kentucky

ORAL ARGUMENT FOR APPELLEE: Brent R. Baughman Louisville, Kentucky

-25-