INSIDE VS. OUTSIDE HIPAA BREACH

HIPAA breaches tend to be caused by insiders (employees, contractors) almost as much as outsiders (intruders, hackers).  Recently, a Pennsylvania hospital notified about 2,000 patients of a breach after one of its employees transmitted the patients’ PHI on a non-secure network.  In this case, the employee’s use of a non-secure network was treated as a breach even though there was no evidence that the PHI for the patients of the Penn State Hershey Hospital was actually disseminated to anyone outside of authorized persons.  In this case, a report was made on the basis that it could have been accessed.

The lesson here is that breaches seem to be just as likely to occur from employee errors as they do from those actively trying to steal patient PHI.  The result is the same, a reportable breach, bad publicity and the cost of reports and potential fines.

HELL HATH NO FURY …

Another PHI breach was the result of an apparent personal vendetta.  The University of Cincinnati recently fired an employee who posted PHI obtained from the UC Medical Center on Facebook relating to a women’s medical record, including her name and a diagnosis of an STD.  The litigation filed indicates that the woman is suing the individual employee at UC Medical Center, an unnamed person and UC itself for the breach, and for the hospital’s alleged negligent supervision and training.

VA PATIENTS IN YOUR HOSPITAL OR CLINIC

Last week Congress passed legislation which allows persons who normally would be required to seek medical attention at a VA clinic or hospital to instead obtain medical services at local hospitals, clinics and practices where there is any significant wait.  Given the truly devastating and significant wait times reported for VA hospitals over the last several weeks in news stories, it is likely that there will be a significant demand for veterans’ health services in non-VA facilities.  We are awaiting a copy of the actual legislation to determine such details as what reimbursement rates will be offered, how billing and payment will be handled for the non-VA providers, and will update as soon as possible.

One problem has surfaced – use of non-VA facilities/providers requires obtaining a case card which certifies lack of availability of service at the VA.  The small problem, only the VA headquarters office can issue the cards.  This is the same office that appeared to be unaware of the massive boondoggle for access to VA facilities in the first place.

DATA BREACH CLASS ACTIONS

We primarily discuss the possibility of fines assessed by HHS for HIPAA data breaches.  The highest of these fines known to date is $4.8M.  Predictions from HHS attorneys in 2014 indicate the current record fine amount will be substantially exceeded.

These fines pale in comparison to the potential damages which could be assessed by class actions against the companies or providers which allowed/suffered data breaches.  Class action cases have sought millions if not billions of dollars based on breaches to date.  The primary defense to these large and expensive cases has been a claim that the plaintiffs, in most class actions, have no standing to sue.  This lack of standing is based upon the fact that for many class action plaintiffs, breaches result in potential but not actual damages at the time the suits are filed.  The concept of standing in litigation generally requires that the plaintiff or plaintiffs have suffered actual harm.  In many data breach cases, this actual harm has not occurred, just the potential that someone will damage a person’s credit rating, cause them to pay charges they don’t owe, or suffer identify theft.  The companies/providers that have suffered/allowed release of PHI often offer “credit monitoring” or other services to mitigate these damages.

Class action plaintiffs continue to test this distinction, and there are conflicting federal and state court opinions which have considered at what point on the continuum from potential to actual quantifiable damages is necessary to sustain a class action.  Class actions have been filed against Pandora, Google and Netflix regarding data breaches, and lawsuits are making their way through the system regarding PHI breaches.  Recently, the Supreme Court for West Virginia found that the state based claims for breach of physician/patient confidentiality and invasion of property were not speculative, and were sufficient to sustain the certification of class action in that suit.  The Court still had concerns about the “mere risk of future identify theft alone” as sufficient injury for standing.

HIGHMARK HIPAA BREACH

Highmark, a healthcare company, has notified over 3,500 of its insureds that an employee mailing out health risk assessments apparently sent the assessments with PHI attached to the wrong members.  This is a clear cut breach since dozens, if not hundreds of persons received PHI not their own, and that likely their PHI was received by other persons.  This breach is so recent there is no information on the actual numbers of individual PHI breaches, or the likely sanctions.

This newsletter is edited by Paul Wallace of Jones • Wallace, LLC, a member of the American Bar Association Healthcare Law Section and the American Health Lawyers Association who has been representing physicians and healthcare practices for over 25 years.  Mr. Wallace assists physicians in health practices in contract items, federal legal compliance, creation of practice entities, estate and wealth planning and similar issues.  Please feel free to call if you have any questions on this newsletter or legal matters at (812) 402-1600 or pwallace@joneswallace.com.