The Internal Revenue Service (IRS) is facing a class-action lawsuit alleging that the agency improperly accessed about 60 million health records belonging to about 10 million U.S. residents.
An unnamed HIPAA-covered entity in California—referred to as John Doe Company—is filing the lawsuit, which claims that 15 IRS agents inappropriately seized medical records on March 11, 2011.
The firm acknowledged that the IRS agents had a search warrant for the financial data of a former John Doe Company employee. However, the company claimed that the agents' warrant "did not authorize any seizure of any health care or medical record of any persons, least of all third parties completely unrelated to the matter."
According to the complaint, the records that the IRS agents accessed without authorization include data on:
- Gynecological counseling;
- Psychological counseling; and
- Sexual and drug treatment, among other medical treatment data.
The complaint also stated, "IT personnel at the scene, a [HIPAA] facility warning on the building and the IT portion of the searched premises, and the company executives each warned the IRS agents of these privileged records." The IRS agents ignored the warnings, according to the complaint.
The lawsuit is seeking punitive damages for constitutional violations, as well as $25,000 "per violation per individual" in compensatory damages. Those damages could start at a minimum total of $250 billion.
The lawsuit also seeks:
- A declaratory judgment to protect the proprietary and privileged data in records;
- An injunction preventing the IRS from sharing the data; and
- An order requiring the return of the seized records and "the purging of government databases of all such records" (McCann, Healthcare IT News, 3/15; Kearn, Courthouse News Service, 3/14; Ouellette, HealthITSecurity, 3/14).