Care First, a company which had a very, very large 2015 data breach (discussed in Healthcare Law News – Volume 109 https://www.joneswallace.com/healthcare-law-news-volume-109) has asked the Supreme Court to review the decision of the District of Columbia Appeals Court allowing Care First customers that were impacted by the Care First data breach to sue for damages. As we discussed earlier, various companies that have allowed breaches claim that despite the impact on their customers, the affected customers suffered no damages and can’t sue because they had not yet actually lost any money or they could not prove their private information had already been used by the hackers. The Supreme Court could refuse to accept the case letting the DC decision allowing the customers to go forward with their lawsuit stand, or could accept the case for the purpose of making a determination whether those who have or potentially will be impacted by the Care First, Anthem and many other data breaches can or cannot sue for damages.
What If The Guards Can’t Be Trusted?
There are three main credit data brokers operating in the United States. Experian, Trans Union and Equifax. In past data breaches by Anthem, Target and others, each of those companies which have allowed your data and mine to be accessed by hackers/criminals, have offered one year of credit monitoring through one of the three large credit data brokers.
The basis of this was that by their monitoring of your and my personal and private data (which is used by the credit data brokers to make billions of dollars), would be protected.
Now Equifax announces it has had the breach of all breaches-apparently half of all Americans’ private data, possibly including Social Security Numbers and other personal financial information has been exposed to hackers. This is a huge and significant event and shows the worthlessness of the “solution” offered by Anthem, Care First, Target, Schnucks and others who offer credit monitoring as a solution and as the sole alternative to those who’ve already suffered such a breach.
We expect this breach will have several ramifications:
- In the Care First case which the Supreme Court may consider, the argument by Care First that such credit data broker monitoring is a sufficient remedy appears to have been at best, deflated. No one can seriously assume that credit monitoring by the credit data brokers is a remedy for anything.
- Various US Senators and Representatives have begun talking about dramatically increasing the regulation of the large credit data brokers. In other words, someone apparently must guard the guards. While getting any significant legislation through our current Congress appears to be a challenge, it is possible this type can bring all sides in Congress together to protect those who elected them and recognize the threat that such data breaches mean to the economic security of Americans.
Disposing of Medical Records
State privacy rules and HIPAA require that covered entities (any provider) use “appropriate” methods and safeguards to protect PHI in whatever form.
These rules apply not only during active use of the records, but also apply when a practice terminates either by retirement, sale or merger.
For ongoing operations, HIPAA company regulations require that your staff receive training on and follow policies and procedures as necessary for the maintenance or disposal of the records. When was your staff’s last training session?
If you are terminating a practice or disposing of records either due to retirement or due to conversion to electronic health records system (EHR), HIPAA does not specify how to dispose of the records. Rather, HIPAA requires you to adopt and carry through reasonable steps to safeguard the PHI throughout the disposal process. The manner of assessing the risks require you to consider the form, type and amount of PHI being disposed. Documents with names, SSNs, credit information, diagnoses, treatment information and similar sensitive information will require more care due to the higher risk that inappropriate access would result in identity theft or other discrimination or harm issues. HHS has promulgated guides on its website with practical information on how to dispose or sanitize PHI throughout the information life cycle.
This newsletter is edited by Paul Wallace of Jones ∙ Wallace, LLC, a member of the American Bar Association Healthcare Law Section and the American Health Lawyers Association who has been representing physicians and healthcare practices for over 25 years. Mr. Wallace assists physicians in health practices in contract items, federal legal compliance, creation of practice entities, estate and wealth planning and similar issues. Please feel free to call if you have any questions on this newsletter or legal matters at (812) 402-1600 or firstname.lastname@example.org.