[BreachExchange] When Information Breaches Lead to Lawsuits

Audrey McNeil audrey at riskbasedsecurity.com
Thu Sep 15 20:24:13 EDT 2016


http://www.renalandurologynews.com/hipaa-compliance/when-information-
breaches-lead-to-lawsuits/article/522626/

When it enacted HIPAA, the Department of Health and Human Services (HHS)
chose to use a "carrot" rather than "stick" approach to enforcing the law.
Penalties have been given for major breaches, but aside from that, there is
little financial skin in the game for providers. At least until now.

When a provider wrongfully discloses protected health information, HIPAA
does not provide patients with a legal remedy other than reporting the
incident to HHS. But courts have begun to look at the issue differently,
ruling, in some cases, that providers can be sued under state rules
pertaining to privacy and negligence for breaches.

“Courts are beginning to say that just because the federal government
didn't give a remedy, it shouldn't preclude patients from bringing a suit
in states,” said Chad Eckhardt, a member in the regulated business group at
Frost Brown Todd, which has its headquarters in Cincinnati, Ohio.

Recourse at the state level

It was a 2014 Supreme Court decision in Connecticut that set a precedent
allowing providers to be sued for HIPAA violations.  A patient filed a
lawsuit against her obstetrician when the provider mailed her medical
records to a court in response to a subpoena related to paternity suit
filed by her ex. She was not informed of the subpoena by her provider and
she filed for negligence, negligent emotional distress, breach of contract,
and negligent misrepresentation as to the safety of her records. Although
originally dismissed, her case ended up at the state supreme court, which
ruled that her case stated a claim for which relief may be granted and
remanded it for trial.

There are numerous torts for which individuals can seek redress for
personal injury, but some are not suitable for filing lawsuits related to
HIPAA violations. Two such torts are invasion of privacy and public
disclosure of private facts, Eckhardt said.  Plaintiffs have to prove
damages. Those torts rarely result in physical damage, so plaintiffs have
to prove mental or emotional distress. Courts, he said, are reluctant to
provide a remedy for non-physical damage under torts.

Negligence is another category that requires plaintiffs to prove damages.
Under this tort, physicians can be considered negligent because they did
not comply with a standard of conduct (HIPAA). “If the federal government
says this is the minimum standard of confidentiality and you don't meet
those minimum standards, you are negligent as a matter of fact,” Eckhardt
said.

Breach of contract is another option for plaintiffs, though the damages are
much less than with a tort, Eckhardt said. Some states, like Ohio and West
Virginia, have also created torts specifically for the unauthorized
disclosure of medical records.

“More states are creating this tort for unauthorized released of records
and if they don't have one, courts are going to try to find a remedy for
harm done if there is actual damage to an individual,” Eckhardt said.

Setting precedent

A case out of Indiana was the first to show that employers can be held
accountable for their staffs' HIPAA violations. A patient sued Walgreens
and one of its pharmacists when she found out the pharmacist had looked up
and released medical records to the plaintiff's ex-boyfriend. The
pharmacist was currently married to the woman's ex, to whom she provided
prescription information. The woman won $1.4 million in damages, holding
Walgreens accountable for the employees' breach of confidentiality under
HIPAA for reasons including negligent supervision.

Physicians need to ensure they are training all employees upon hiring them
and annually thereafter, he said. Consistent training can help a provider
prove they have not been negligent in supervision of their employees and
reduce their liability.

As part of training, the importance of caring for hyper-sensitive
information like HIV status and mental health conditions should be
emphasized. In addition, practices need to review office processes to
determine where people can get tripped up. For example, if a subpoena is
received, what should employees at each level do with the request?

“Courts are going to try to find a remedy for harm done if there is actual
damage to an individual,” Eckhardt said. “Courts are allowing awards for
individuals, especially for hypersensitive information because it is so
stigmatizing.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160915/2e60c017/attachment.html>


More information about the BreachExchange mailing list