Posts

Gavel Law Court Black Background

HIPAA violation creates lawsuit claim

While HIPAA does not in and of itself create a private cause of action, a growing body of cases in both federal and state courts outside of Texas suggests that a HIPAA violation causing clear harm to a plaintiff may support a lawsuit by providing grounds for some other private claim.  Plaintiffs who have shown intentional breaches or especially private disclosures have had recent notable success in persuading courts to treat their health care providers’ HIPAA-based duties as an applicable standard of care to support their claims.

At least two such claims were recognized in November 2014 alone.   In Byrne v. Avery Center for Obstetrics and Gynecology, the Connecticut Supreme Court held that a plaintiff’s negligence claims were not preempted by HIPAA and that HIPAA may inform the standard of care for a common-law negligence claim.  There, the plaintiff’s claim was based on her obstetrician’s having produced her medical records to her ex-boyfriend in response to a subpoena.  Despite the plaintiff’s having expressly instructed the obstetrician not to share her records, the obstetrician responded to the subpoena without notifying the plaintiff, filing a motion to quash, or objecting.   The plaintiff sued the obstetrician for breach of contract, based on the violation of its privacy policy; negligence in failing to use proper care in protecting her medical file, including violations of its own regulations implementing HIPAA; negligent misrepresentation; and negligent infliction of emotional distress.  On appeal, the court overturned the lower court’s preemption holding and found that HIPAA could inform the applicable standard of care.

An Indiana court of appeals also recognized a claim factually predicated on a HIPAA violation in Hinchy v. Walgreen Co.  There, the court did not expressly discuss whether HIPAA violations can give rise to other private claims; instead, the court admonished the defendant’s pharmacist employee for breaching “one of her most sacred duties” by purposefully divulging the plaintiff’s birth control prescription records to her husband, the plaintiff’s ex-boyfriend.  The court affirmed a $1.8 million award to the plaintiff, whose claims against Walgreens included negligent retention and supervision as well as Indiana statutory claims of negligence by professional malpractice and public disclosure of private facts.

These cases differ significantly from the more typical data security breach.  They illustrate, however, that courts may be increasingly willing to use HIPAA violations to support common law or state statutory claims, at least where the violation and harm to a plaintiff are clear.

January 2015

Farrow-Gillespie Heath Witter LLP - Health Care Law

$150,000 Fine for HIPAA Violation

The U.S. Department of Health and Human Services, Office for Civil Rights (HHS-OCR), has recently entered into another HIPAA settlement, emphasizing yet again the government’s focus on the HIPAA Security Rule.  The settlement highlights that health care entities cannot merely adopt HIPAA policies but that they must actually implement and follow those policies in practice on an ongoing basis.  In early December 2014, HHS-OCR confirmed that Anchorage Community Mental Health Services (ACMHS), a nonprofit organization providing behavioral health care services, had agreed to pay a $150,000 fine and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program and to report to HHS-OCR on the state of its compliance for two years.  The settlement was based on a HHS-OCR investigation regarding ACMHS’s breach of unsecured electronic protected health information (ePHI).  The breach was the result of a malware that compromised the security of ACMHS’ information technology (IT) resources and affected 2,743 individuals.

During its investigation, OCR-HHS found that ACMHS had adopted sample HIPAA Security Rule policies and procedures in 2005, but these policies and procedures were not followed and/or updated.  Thus, ACMHS could have avoided the breach (and not be subject to the settlement agreement), if it had followed its own policies and procedures and regularly assessed and updated its IT resources with available patches. The settlement with ACMHS is just one of several recent settlements arising from an HHS-OCR investigation, either because an organization self-reported a breach of ePHI or because HHS-OCR investigated an organization’s HIPAA compliance program after receiving a complaint or as part of its annual audit protocol.  No matter how the investigation begins, HHS-OCR will expect an organization to have fully implemented and updated its HIPAA compliance program and/or policies and procedures.  Compliance with the HIPAA Security Rule requires organizations (among other things) to assess risks to ePHI on a regular basis, including whenever new software, e.g., a patient portal, is implemented.  Organizations cannot simply adopt HIPAA policies and procedures, conduct training and then ignore HIPAA.  All organizations subject to HIPAA, both “covered entities” and “business associates” (regardless of size), must devote ongoing resources to protect personal health information from security threats.

Most of the activities that HHS-OCR found lacking in ACMHS are ones that can be efficiently developed, implemented or sustained with timely planning by health care providers.  Please let me know if you, or any of your clients, would like to discuss any of these activities with me.