Court Allows HIPAA Negligence Claim

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.govinfosecurity.com/court-allows-hipaa-negligence-claim-a-7535/op-1

Legal experts are analyzing the potential national impact of a Connecticut
Supreme Court ruling that plaintiffs can sue for negligence if a healthcare
provider violates HIPAA regulations for protecting patient privacy.

The Connecticut case of Emily Byrne vs. Avery Center for Obstetrics and
Gynecology involved a patient who sued a healthcare clinic that released
her medical records to a third party without her authorization. But legal
experts say the ruling could potentially have relevance in certain data
breach cases.

"HIPAA does not provide for the 'private right of action,' or [the right
of] private folks to sue under the statute," says privacy attorney Brad
Rostolsky of the law firm Reed Smith. "Enforcement actions and fines for
HIPAA violations are levied by federal regulators. But in a handful of
cases, like this Connecticut ruling, courts have allowed HIPAA as the
'standard of care' for negligence claims."

Privacy Issues

Byrne's attorney, Bruce Elstein of the Connecticut law firm Goldman, Gruder
& Woods, tells Information Security Media Group: "Before this ruling,
individuals could not file a lawsuit claiming violation of their privacy
under the HIPAA regulations. It was for that reason that we filed a
negligence claim, claiming the medical office was negligent when it
released confidential medical records contrary to the requirements set
forth in the HIPAA regulations.

"The state Supreme Court agreed that a violation of HIPAA regulations may
constitute a violation of generally accepted 'standards of care,' and
remanded the case back to the lower court for trial." That trial likely
will take place next year, he says.

Privacy attorney Elizabeth Hodge of the law firm Akerman LLP explains that
in this Connecticut case, HIPAA is the "standard of care" for protecting
patient confidentiality that was used to show that a patient's privacy
rights were violated. "In data breach cases, plaintiffs could argue that a
healthcare provider, insurer or other covered entity did not meet the
'standard of care' with the HIPAA security or privacy rule in protecting
records, and that the failure to meet that standard of care was negligent."

Rostolsky says the ruling in Connecticut not only potentially impacts
covered entities in other cases, but also business associates, who are also
directly liable for HIPAA compliance under the HIPAA Omnibus Rule.

Nonetheless, in negligence lawsuits, plaintiffs need to show damages,
Rostolsky points out. Many class action lawsuits involving data breaches
been dismissed by courts because they've lacked evidence showing that
individuals impacted by a breach subsequently have been victims of fraudor
have suffered other damages.

Attorneys say that because this Connecticut lawsuit has been kicked back to
a lower court for trial, it's not yet clear how the case will play out.

Case Details

The suit against Avery Center for Obstetrics and Gynecology in Westport,
Conn., was filed by Byrne, a former patient who now resides in Vermont.

Elstein says that in the early fall of 2004, Byrne learned that she was
pregnant. "Shortly afterward, she called the Avery Center to instruct them
not to release any of her medical information to the father of the child,
with whom she was no longer in a relationship," Elstein says. "This request
was well within her rights as protected under the HIPAA Act."

The information contained in Byrne's medical file "was highly sensitive,
deeply personal and confidential," Elstein says. "But despite Byrne's clear
instructions, and in violation of its own stated privacy policy, the Avery
Center released her medical file [to her ex] upon subpoena. It failed to
make any attempt to notify Byrne of the subpoena or to seek guidance from a
court on the disclosure to be made."

The father of Byrne's child used her personal health information "for a
campaign of harm, ridicule, embarrassment and extortion," Elstein alleges.
"If HIPAA had been followed, Byrne would have been able to keep her
sensitive and private information confidential."

Hodge says a critical mistake that the health center made was failing to
contact the patient after receiving the subpoena. "They should have
contacted the patient or her attorney so that she could take action"
against the release of the information, she says.

Rostolsky recommends to his clients that there be "a designated person to
handle subpoenas" within their organizations. "This was a big mess that
could have been avoided," he says.

An attorney representing Avery Center did not respond to ISMG's request for
comment.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!