Creative lawyers are suing negligent health care providers and business associates for failing to protect patient privacy, even though HIPAA itself does not give consumers a right to sue. In the past, enforcement was done almost exclusively by the Office for Civil Rights (OCR), the federal agency that oversees HIPAA. OCR is still investigating and fining HIPAA violators, but today the courts are seeing more cases and the costs are rising.
Because HIPAA does not provide individuals a right to sue in court, these cases are alleging that healthcare organizations are negligent, or have breached contracts with patients, using other laws to make the claim. However, they also hold up HIPAA as a “standard of care”, and argue that the defendants didn’t follow basic HIPAA requirements, and courts are listening.
Recent Examples of Lawsuits
DCH Health System
The most recent example is a federal case brought against DCH Health System in Alabama after a ransomware attack disrupted patient care by locking down the electronic health record system. Patients were delayed from seeing their doctors, diverted to other hospitals or denied care altogether. DCH ended up paying the ransom to obtain access to its records.
The lawsuit alleges that DCH is guilty of negligence, invasion of privacy, breach of contract, and breach of fiduciary duty. The lawsuit seeks class action status, meaning that it will likely grow larger, with many more patients joining together to sue DCH.
DCH did not report the ransomware attack to OCR even though it probably should have, since ransomware is a “presumed breach” under HIPAA.
Key Takeaway: Do a HIPAA Risk Analysis and follow the Risk Management plan to uncover gaps in cybersecurity defenses like malware protection, data backups, and workforce training. Paying the ransom is risky.
American Medical Collection Agency
In June 2019 we saw multiple class action lawsuits filed across the country against American Medical Collection Agency (AMCA), a business associate collection company under contract to LabCorp and Quest. Over 20 million patients’ data were compromised, and AMCA later declared bankruptcy. LabCorp and Quest, both covered entities, may not be off the hook if they were negligent in how they managed their business associates. Creative lawyers should be looking closely at whether the labs are at fault.
Key Takeaway: Make sure all your business associate vendors follow HIPAA and have business associate agreements in place. As a business associate, follow your own HIPAA compliance program, including a robust Risk Analysis – Risk Management Plan.
MU Health
In early August 2019, patients filed a class action lawsuit against University of Missouri Health Care (MU Health) about one week after it began reporting patient data breaches caused by hacked email. More than 14,000 patients were affected when data like social security numbers and other sensitive information was stolen.
Key Takeaway: Train the workforce on how to identify and avoid phishing through email, still the most common avenue for cybercrime theft.
Stay the Course with HIPAA Compliance
OCR investigations, not private lawsuits, should still be the main concern of any organization required to comply with HIPAA.
These lawsuits are not easy to win. Plaintiffs (those bringing the lawsuit) need to prove injury, or damages, in order to move forward. When personal data is lost or if healthcare is delayed, the damage is not always obvious, nor can it be compensated with a money award in a lawsuit, a requirement in court when suing for negligence or breach of contract.
Still, we predict there will be more cases like these in spite of the challenges, as cybercrime continues to rise, and the healthcare industry continues to fail at protecting patient privacy. If you ignore HIPAA, or have a weak compliance program that is incomplete, you are at risk.
HIPAA Compliance is a Blueprint for Protection against Cybercrime
A solid HIPAA compliance program is the best defense against cybercrime. This is because HIPAA requires that your systems have malware and adware protection, you install updates and patches, you back up data, your workforce is trained to recognize phishing and other types of cybercrime tactics, and you have access controls to limit who may see certain data.
All of these, and more, are laid out in The HIPAA E-Tool®, with an interactive self-guided Risk Analysis, the core of a complete HIPAA compliance program.