A class action lawsuit filed in California against Rady Children’s Hospital – San Diego illustrates a growing trend of private litigation based on breaches of protected health information (PHI). The incident stems from a ransomware attack last year on Blackbaud, the hospital’s business associate, which provides fundraising and donor management software. The Blackbaud incident spread globally – several dozen other healthcare organizations were damaged by the ransomware last year, as well as educational institutions and nonprofits. In healthcare alone, over 2.6 million individuals were affected.
Class Action HIPAA Lawsuits are Trending
The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS), which enforces HIPAA will investigate all the Blackbaud breaches that affected 500 or more individuals, because HIPAA regulations require it. There are at least 10 of those, according to the latest tally. We won’t know the outcome of those investigations for some time, but in the meantime, aggrieved individuals are filing lawsuits.
Although HIPAA does not provide a right for individuals to sue, lawyers argue that HIPAA establishes a professional standard of care that healthcare providers should meet. Judges are listening to this line of reasoning and some agree. Some of the lawsuits, like the one against Rady Children’s Hospital are class actions – cases that pull together large numbers of individuals affected by the same incident to sue together as a “class”. These lawsuits are large, expensive and time-consuming.
In some cases, the lawsuits name both the business associate and the covered entity health care provider as co-defendants, saying that both were negligent. For example, in November a proposed class-action lawsuit was filed in a Maine federal court against both Blackbaud and Eastern Maine Healthcare System, which does business as Northern Light Health. The Blackbaud ransomware incident affected close to 657,400 individuals at Northern Light Health.
HIPAA Requires Providers to do Due Diligence with Vendor Business Associates
Even though the breach occurred at the vendor, Blackbaud, Rady Children’s Hospital and Northern Light Health are not necessarily off the hook. Covered entities are required to use care in selecting their vendor/business associates, and do due diligence to ensure the business associates are following HIPAA. If the health care provider did not properly evaluate the vendor, or did not enter a business associate agreement, an argument could be made that this lack of care was negligence, and contributed to the breach. If the court agrees, the hospital will pay damages.
At the same time, health care providers should take care not to exert so much control over a business associate that they inadvertently make the business associate their “agent”. Under the Federal Common Law of Agency, if Blackbaud is a legal agent of Rady Children’s Hospital for instance, the hospital would be liable for damages due to Blackbaud’s acts or omissions. The answer will depend on any contract terms that allow Rady control over Blackbaud’s performance. A relatively low level of control can establish an agency relationship between a hospital and its business associate under the Federal Common Law of Agency. The key is to exercise due diligence (ask questions), without exerting control (directing what to do).
The Future of HIPAA Lawsuits
Health information data breach lawsuits usually seek to rely on state laws to support the legal requirement known as ‘standing’. California has health information privacy laws that are stronger than HIPAA and support a private right to sue.
As we first reported twelve months ago, we expect to see this trend grow, particularly in states like California with laws that are more protective to consumers. Other populous states with significant healthcare economies, like Texas and New York will likely see similar cases. However, class action lawsuits based on health information data breaches are being filed across the country.
As the number of breaches of protected health information grow, so too does the demand for stronger health information privacy laws at both the state and federal level. Protection of personal privacy is a subject that has strong support from both sides of the political aisle.