Emerging concern coming from private litigation to BA’s and Covered Entities
Covered entities and business associates need to take extra precautions to protect patient personal health information (PHI), as penalties could be staggering. This has been highlighted recently in the Byrne vs. Avery Center case in Connecticut.
Byrne sued the Avery Center for negligence after her personal medical information was disclosed to her ex-partner’s attorneys as part of a paternity lawsuit, however, the father of Byrne’s child was alleged to have used her personal health information to embark on “a campaign of harm, ridicule and embarrassment” against her. This information was disclosed despite her expressing that they were not to provide her personal health information to her significant other.
However, once they received the subpoena from his lawyer, they readily provided the information, without contesting the request, and without informing Byrne that they had released this information.
The reason that this case has generated so much interest is that while individuals cannot file a lawsuit claiming violation of their privacy under the HIPAA regulations, in this case the violation occurred because the clinic was negligent by releasing confidential health records.
The Connecticut Supreme Court remanded the case to the trial court and permitted the plaintiff to proceed with the negligence claim as a HIPAA violation under the “standard of care” for protecting patient information.
Ten US states now recognize that while HIPAA does not offer a private cause of action for privacy violations, it does provide a standard against which a party’s actions will be judged. Business Associates are equally bound to the terms and language that both the Covered Entity and the Business Associate agrees to as it relates to the signed Business Associate Agreement. Covered Entities also have to cover this in their Notice of Privacy Practices that every patient is supposed to receive before treatment and part of the patient consent that also has to be signed. Covered entities and business associates should carefully consider requests for information from third parties, and determine whether HIPAA would be breached by providing PHI.
What does this mean for healthcare providers?
Byrne’s attorney, Bruce Elstein, was recently interviewed by Marianne Kolbasuk McGee of http://www.healthcareinfosecurity.com regarding the case, which was initially dismissed by the court on the grounds that HIPAA doesn’t allow a “private cause of action” as a reason for a lawsuit against a covered entity.
However, the case was disputed, and after two years, it has been decided that a plaintiff may sue a healthcare provider for negligence if it can be proven that they are in violation of HIPAA regulations that protect PHI.
In this instance, the plaintiff was personally damaged by this negligence and the case will undoubtedly take into account not only the wrongful disclosure of PHI, but also the emotional distress that it caused to her.
The case against the Avery Center for negligence is expected to continue next year.
Could healthcare providers end up in court for a breach such as theft of a device?
It may be possible. For example, if a patient’s identity was stolen from a lost, unencrypted device, with their details being used to commit fraud, providing they can show that the result of this negligence caused harm to the individual affected, the healthcare provider may have a lawsuit filed against them.
In light of this case, all covered entities and business associates should ensure that they are aware of the laws surrounding data privacy under HIPAA.