Posted by: Robert Markette
November 02, 2006

Well, earlier this week I mentioned a recent incident here in Indianapolis in which an employee of a contractor for a local hospital system left CDs containing protected health information on approximately 260,000 employees in a computer bag that was returned to the store. The hospital has now been sued by one of the individuals whose information was disclosed. The article did not explain the plaintiffs legal theory, but simply said the plaintiff was seeking damages for the disclosure. The plaintiff is seeking certification of a class of 260,000 and asking for $5,000 per patient. (Yes, if you do the math, they potential total for damages is $1.3 Billion.)This is interesting for a few reasons. First, every court that has addressed whether there is a private cause of action (meaning whether an individual can sue a provider) for a HIPAA violation has come to the same conclusion. That conclusion is that HIPAA did not create a right to sue a covered entity for a breach of HIPAA. In fact, courts have specifically mentioned that HIPAA allows for complaints by a patient that feels their rights have been violated.
Even beyond this large legal hurdle, from the provider standpoint, there are a few other problems for the plaintiff. There is no indication that the information on the disks was accessed. The disks were left in a bag that sat at a store until it was purchased. It was only after the bag was purchased that the new owner found the disks. It seems more than highly unlikely that the disks were accessed. Since the disks were still in the bag when they were purchased, for someone to access them they would have had to either do it in the store or take the disks out, access them elsewhere and then return them.

Each of those scenarios raises an interesting problem. If the data were accessed in the store, you would think somebody at the store would have noticed an individual standing in the store actively copying CDs. If the disks were removed from the store, why would the thief bring them back. In other words, if no one accessed the data, what is the harm? The Plaintiffs attorney says it is the cost and burden of checking credit reports to ensure nothing happened.

Finally, not only does HIPAA fail to create a private cause of action, it does not require health care providers to monitor their business associates. A covered entity is not considered in violation of HIPAA as the result of a violation by its business associate until it is aware of a breach by the business associate. Nowhere in HIPAA is a covered entity required to police its business associates compliance. If a provider is considered to be in compliance until it is aware of a breach by its business associate, it is hard to imagine how the covered entity can be considered liable for the breach of its contractor.

I mention this to reinforce another point. HIPAA violations come with costs. If a provider can get sued even in a case with as many questions as this one anyone can. Once the suit is filed, you start paying legal fees and associated costs. Even if you do not end up paying a large judgment to a class of plaintiffs, litigation is still expensive. The moral of this story is that even though HIPAA does not give your patients a right to sue you, they still may do so and you should be prepared for that.

News

HIPAA Law Suit

News

Health Care

Topics

Recent Updates

Archives

Web Resources



	Home \| Attorneys \| Contact Us \| Site Map
	The information you obtain at this site is not, nor is it intended to be, legal advice. You should consult an attorney for individual advice regarding your own situation. Copyright © 2008 by Home Care Law Blog Gilliland & Markette LLP. All rights reserved. You may reproduce materials available at this site for your own personal use and for non-commercial distribution. All copies must include this copyright statement.