[BreachExchange] HIPAA Enforcement: Where’s the Action?

[Audrey McNeil]

https://www.jdsupra.com/legalnews/hipaa-enforcement-
where-s-the-action-21158/

Imagine a breach in the privacy of protected health information.  The
violation of an individual’s HIPAA rights may be clear, but the individual
cannot sue under HIPAA.  Courts have consistently held that HIPAA provides
no private right of action.

In the recent case of Lee-Thomas v. Lab Corp., an individual brought suit,
claiming that her HIPAA rights had been violated.  When hospitalized, she
had been  asked to submit medical information on a computer.  She alleged
that the information she entered was visible to another patient at a nearby
computer station.  The court did not reach the question of whether the
proximity of the computers resulted in a HIPAA violation.  It dismissed the
claim, observing that HIPAA limits enforcement actions to the U.S.
Department of Health and Human Services and states’ attorneys general.

The absence of a private right of action under HIPAA significantly reduces
the risks faced by covered entities and business associates, but it does
not shield them against all litigation and liability. Lawsuits for the
improper disclosure of personal medical information have been brought under
different theories, including common law breaches of privacy and breaches
of contract.  Last year, Anthem Inc. settled a class action, arising from a
large 2015 data breach, for $115 million. Currently, litigation is being
pursued under non-HIPAA claims for disclosures that have resulted from
mailing practices, including the use of window envelopes and incorrect
addresses.  Case law is emerging, and it is possible that courts will refer
to HIPAA’s standards as setting the bar for the privacy and data security
safeguards that should be implemented and followed, but individuals who sue
for breaches of those safeguards will need to base their claims on
something other than a HIPAA violation.

That does not mean that we should ignore HIPAA as a source of liability. As
we previously reported, an administrative law judge recently upheld HIPAA
penalties of more than $4 million that the Office of Civil Rights of the
Department of Health and Human Services (OCR) determined should be assessed
against a hospital.

The risks presented by significant HIPAA violations remain serious,
although it appears that the pace of HIPAA enforcement by the OCR has
slowed under the Trump administration. In addition to the ALJ decision, the
OCR has announced only two settlements of HIPAA investigations in 2018, and
the OCR has been very quiet about its audit program for HIPAA compliance.

That could, of course, change, and there has been one recent development
that may affect HIPAA enforcement in the future. The OCR has announced that
it will seek comments on a methodology for sharing a portion of its
recoveries under HIPAA with those harmed by a breach.  The development of
this methodology is required under the Health Information Technology for
Economic and Clinical Health (HITECH) Act.  Whether the development of this
methodology leads to more enforcement activity or higher settlements is
likely to remain a subject of speculation for several years.  Its effect on
OCR enforcement actions may emerge only after regulations on the
methodology are finalized and put into effect.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180712/37916d05/attachment.html>