Evaluating the Potential Impact of a HIPAA Security Breach in Your Risk Analysis

HIMSS 2014 included multiple presentations and updates regarding breach risk.  Attorney Tatiana Melnik of Melnik Legal presented an update on civil actions which provides important information to anyone conducting a HIPAA Security/meaningful use risk analysis and needs to estimate the potential impact of a breach.

The possibility government penalties, fines or settlements should always be considered as a potential impact in the event of a breach. Most of us know that the HHS Office of Civil Rights is the primary enforcer of HIPAA, and that the HITECH Act also empowered state Attorney Generals to enforce HIPAA cases as well. OCR has taken civil enforcement action in fewer than 20 cases to date. States are just getting started and there have been at most a handful of enforcement cases. HIPAA provides injured individuals no “private right of action,” that is, individuals who may have been harmed have no standing using HIPAA to claim damages from a healthcare provider.   However, cases of private action using other theories have been emerging.  The case of AvMed Health Plan, in 2009, involved theft of unencrypted computers containing PHI which were taken during a break in.  A class action suit was filed in Florida.

Matt Curtin at Interhack booth during HIMMS14

Matt Curtin of Interhack, photographed in his office, served as an expert witness during the trial for the class action suit against AvMed Health Plan

Per Matt Curtin of Interhack, who served as expert witness for the plaintiffs, a novel legal theory was used.  The theory stated that subscribers expected privacy as a component of the service, and that HIPAA represented the “standard of care” in this industry.  AvMed failed to provide this service, defrauding subscribers.  Curtin identified the HIPAA-mandated security measures, which if employed, may have prevented the breach.  Curtin then estimated the cost of implementing these security measures and this amount was used with the class action claim.

The case was ultimately settled in October 2013 for $3M, plus a series of security measures that the company agreed to implement.  Per Melnik, this case matters because it was settled even though not all members of the class were proven to have suffered damages.  AvMed chose to settle the case rather than incur the expenses to further defend it.

Another case is R.K. vs. St. Mary’s Medical Center in West Virginia. In March of 2010, the patient was admitted to St. Mary’s as a psychiatric patient. A hospital employee accessed his records and disclosed PHI to his estranged wife and her divorce lawyer. R.K. sued for (1) negligence, (2) outrageous conduct, (3) intentional infliction of emotional distress, (4) negligent infliction of emotional distress, (5) negligent entrustment, (6) breach of confidentiality, (7) invasion of privacy, and (8) punitive damages. No HIPAA claim was asserted.  The West  Virginia Court of appeal found in favor of R.K. and stated that a HIPAA violation may be used as the basis for a claim of negligence, or that HIPAA may be used to supply the “standard of care” for other tort claims. Per Melnik, this matters because it is a precedent for potential use in other lawsuits to support the use of HIPAA as the “standard of care.”

For those conducting a risk analysis and evaluating the potential impact of a breach, it is prudent to consider the possibility of both civil litigation from individuals or class action suits, which the AvMed case above, resulted in a settlement of $3M plus substantial legal costs.

Pin It on Pinterest