States Strengthen Opportunity for Financial Compensation to Breach Victims
February 12, 2018
When you think of fines related to a HIPAA breach, you likely think of the federal government doling out charges from the Department of Health and Human Services’ Office for Civil Rights (HHS OCR). The Feds aren’t the only group penalizing those who aren’t protecting individuals’ privacy. Individual states are increasingly getting in on the action. In some states, patients or clients can file a suit against those who are mismanaging their Protected Health Information (PHI). Non-compliance can cost you more than you thought, potentially hitting you from three sides–federal, state and individuals!
In this blog, we look at some recent examples of how state attorneys general, as well as victims themselves, are using privacy laws to cite entities that have breached PHI. What does this mean to you? It means it’s time to get serious about HIPAA compliance!
Connecticut Gives Breach Victims More Power
Patients in Connecticut are now able to sue doctors and other healthcare providers for the unauthorized and negligent disclosure of their confidential medical records. The Connecticut State Supreme court ruling adds Connecticut to a growing number of states that lets patients sue for damages over the release of private records by their physicians. While HIPAA law does protect patient records, it does not permit patients to sue providers over unauthorized disclosures. Connecticut has extended the right to sue.
In 2007, Emily Byrne, then a Connecticut resident, filed a lawsuit against Avery Center for Obstetrics and Gynecology after her medical records were disclosed to the father of her unborn child. Avery didn’t ask her for permission to release the records, nor did they warn her they were going to. Byrne alleges the father viewed her medical records and used them to harass, threaten and humiliate her. In 2015, her case was dismissed because Connecticut law did not recognize a duty of confidentiality between doctors and their patients, or that communications between patients and healthcare providers are privileged under common law. Byrne appealed the decision twice, and the Supreme Court finally ruled in her favor. Connecticut residents are now permitted to file lawsuits for damages following negligent disclosures of medical records that have resulted in harm.1
State Court Rulings – HIPAA as a Standard of Care
Along with the Connecticut courts (North Carolina, Missouri, and West Virginia) have ruled patients can sue their doctors directly using HIPAA as a standard of care. This means the patients aren’t actually suing for a HIPAA violation, but suing providers for medical malpractice, saying HIPAA Privacy and Security are reasonable expectations from your healthcare provider.
These rulings are quite significant, and they may open the way for more lawsuits in other states. The question is, will other state courts rule in the same way as these four, and will this apply to all Covered Entities, Business Associates, and Business Associate Subcontractors?
The Omnibus ruling treats Covered Entities (hospitals, doctors, insurance carriers, and employers), Business Associates (those who support Covered Entities, ex. insurance agents, IT providers, remote storage), and Business Associate Subcontractors (companies that support Business Associates) as equals when it comes to protecting PHI. This means they are all subject to the same fines and penalties.
With these rulings, theoretically, you could reasonably expect anyone you give your PHI to protect that information using the HIPAA Standards. And, if there is a release that harms the person, like the claim in the Connecticut Case, you could potentially be open to fines from HHS, the state attorney general, and possibly a lawsuit from your clients.
If the threat of audits and fines from HHS weren’t enough for everyone out there, this should be a wake-up call! Many companies are ignoring HIPAA, saying, what are the odds HHS is going to come audit me? Perhaps HHS won’t come knocking, but a client, employee or patient might.
State of California Fines Healthcare Entity $2 Million
In 2013, Cottage Health of Santa Barbara discovered a breach. The sensitive health information of more than 50,000 patients was freely accessible online and included names, medical histories, diagnoses, prescriptions, and lab test results. Additionally, the server had been accessed by other individuals during the time that it was unsecured. The breach was reported to the California Attorney General, and, during that breach investigation, a second breach occurred. This time over 4,500 patients’ health information was accessible online for over two weeks before it was discovered.
Cottage Health admitted that both breaches ultimately exposed patient data, but argued that no patient information was used inappropriately. In light of the breaches, the company made reasonable and appropriate changes to its security; Cottage updated controls and strengthened policies, procedures, and security, among implementing other safeguards. Furthermore, they acted swiftly enough after both breaches to limit patient information exposure.
Regardless of the changes Cottage made to protect its patient information after the breaches, it was the lack of protections leading up to the data breaches that brought forth a financial fine. The California state attorney general’s office filed a complaint that Cottage failed to employ basic security safeguards and breached state law and HIPAA Rules. The complaint contained allegations of:
- Running out-of-date software
- Not installing patches
- Not changing default configurations
- Not using strong passwords
- Not limiting access to sensitive personally identifiable information
- Not conducting regular Risk Assessments
California Attorney General Xavier Becerra said that “The law requires health care providers to protect patients’ privacy. On both of these counts, Cottage Health failed.”2
Cottage Health will pay the California state attorney general’s office a $2 million settlement for violating both state and federal laws, which is in addition to any federal fines they’ll pay HHS OCR under HIPAA. In addition to the monstrous state fine, Cottage Health was ordered to update information security controls and security practices and procedures. Specific safeguards include, but aren’t limited to, evaluating firewall security, encrypting PHI, performing Risk Assessments, performing penetration tests, and training employees on working with PHI.
Coming Soon: 15 Days to Report a Breach in NC
HIPAA gives healthcare providers 60 days from the time a breach is discovered to report a breach to the public, victims, and HHS. NC Attorney General Josh Stein and State Rep. Jason Saine want to change that for North Carolina businesses and government agencies. The duo has created legislation that would give organizations only 15 days to report a data breach to NC consumers and the attorney general.
The Act to Strengthen Identity Theft Protections would add medical information and insurance account numbers to materials businesses and agencies have a duty to protect. A short notification period would allow consumers to freeze their credit and take other preventive actions to prevent identity theft before it occurs. The bill would also allow consumers to place and lift a credit freeze on their credit report at any time, for free. It would furthermore prevent a hacker from using the consumer’s stolen data to open a fraudulent credit line.
The proposed legislation is a direct response to the massive increase in consumers impacted by data breaches in the state. More than 5.3 million North Carolina consumers were impacted by 1,022 data breaches in 2017, Stein said.
The bill to strengthen identity theft protections is set to be filed with the NC General Assembly in May 2018. If passed, the bill would give North Carolina one of the toughest breach notification laws in the U.S. and, according to Stein, would be the “gold standard piece of legislation across the entire country.”3
How Do These Changes Affect You?
Maybe you don’t live in these specific states, but legislation surrounding patient privacy is constantly evolving and the landscape is shifting. More and more, attorneys general and legislation are reforming their state’s laws, and clients are demanding that their PHI is protected. States are setting precedents and others are watching. The risk of being sued or fined continues to increase, and failure to protect your patients’ information puts you in a vulnerable place. It’s in your best interest to protect PHI to the best of your ability. Review your HIPAA compliance programs to identify weaknesses, conduct a Risk Assessment regularly and institute safeguards and protocols to reduce the likelihood of inappropriate disclosures that may lead to lawsuits or fines.