If you think the HHS’ Office for Civil Rights (OCR), the agency that enforces HIPAA, is too busy to find you and won’t investigate your policies and security practices, think instead about an unhappy patient with an aggressive lawyer. The patient does not have a right to sue under HIPAA, but the lawsuit can allege negligence, breach of contract, failure to follow state privacy laws, and it will likely mention HIPAA. Even though it’s not a “HIPAA lawsuit”, it will reference HIPAA requirements, and point out how you didn’t follow those requirements.
In a lawsuit like this, HIPAA is a point of reference, a standard, that you either lived up to (and if so, you’ve done your best to be careful) or you didn’t (and if so, you did not take care and were negligent). According to the lawyers and the judge.
The recent lawsuit against SuperCare Health, Inc., a California provider of in-home respiratory care, is similar to a number of recent suits filed against covered entities after large breaches. It was filed in federal court by one person, but proposed as a class action. If it qualifies for class action status, every SuperCare Health patient in similar circumstances will be invited to join.
Business associates can also be sued or investigated for breach of privacy by individuals or regulators other than OCR. The largest healthcare data breach of 2018, at business associate American Medical Collections Agency, resulted in multiple class action lawsuits a, state Attorney General investigation and bankruptcy for AMCA. In fact, because business associate breaches tend to affect larger numbers of individuals at one time, these incidents are especially at risk for class action lawsuits.
The SuperCare Healthcare DataBreach
The lawsuit against SuperCare Health alleges that it was negligent in failing to keep protected health information (PHI) secure in a 2021 hacking incident affecting more than 300,000 patients.
SuperCare reported the healthcare data breach to HHS on March 28, 2022. It was described as a hacking/IT incident involving a network server affecting nearly 318,400 individuals, according to HHS/OCR’s HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
SuperCare’s breach notification statement posted on its website explains that it discovered unauthorized activity on its systems on July 27, 2021. SuperCare says it immediately began containment, mitigation and restoration efforts to terminate the activity and to secure its network, systems and data.
According to the statement, the forensic investigation revealed that an unknown party had access to certain systems on its network from July 23 through July 27, 2021. On February 4, 2022, SuperCare determined that the potentially affected files contained some information relating to certain patients. In some cases, that information included Social Security numbers.
The Risk of a Lawsuit
These class action lawsuits are becoming more common as the numbers of healthcare data breaches and individuals affected grows. Creative lawyers make compelling arguments about the negligence of covered entities and business associates when they fail to keep PHI secure.
A recent study found that out of security incidents in 2021 evaluated across all sectors, 23 incidents resulted in 58 lawsuits being filed – with many duplicative lawsuits involving the same incidents. Forty-three of those 58 were filed against healthcare organizations, according to the study from law firm BakerHostetler.
On the other hand, not all of these lawsuits are successful. Increasingly, courts are requiring evidence of actual present harm, not speculative future harm before a case will be allowed to proceed. The Supreme Court’s June 2021 decision in TransUnion LLC v. Ramirez suggested that the risk of future harm, like that claimed by the plaintiff in SuperCare is not enough. But if a plaintiff can show actual current harm, caused by the defendant, like the costs of obtaining credit monitoring services, lost time managing the breach (an individual’s time can be valued on a per hour basis), the lawsuit can move forward.
Step Up HIPAA Compliance to Avoid Becoming a Target
Healthcare data breaches continue to rise, and HIPAA enforcement from OCR is still strong. But you can reduce the risk of cybersecurity incidents, HIPAA enforcement and lawsuits by following HIPAA.
The best defense against OCR enforcement and lawsuits like the one against SuperCare is to make sure you’re doing everything possible to keep PHI secure. By following HIPAA, conducting a HIPAA Risk Analysis at least once a year and Risk Management year-round, you are much less likely to be declared “negligent” in your guarding of patient information in the wake of a breach. And when OCR investigates, you are ready. If a breach happens in spite of your efforts, OCR is much less likely to require payment of civil monetary penalties imposed for HIPAA violations.