Penalties and Lawsuits for HIPAA and State Privacy Law Violations
By: Jackie Cooper
Federal and state privacy and security law is an ever-changing minefield for any entity with access to sensitive information. There is no shortage of news about data breaches these days. (Google: Equifax.) The healthcare industry is not immune from breaches, hacks, and mistakes.
The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) has already assessed multiple penalties against healthcare providers for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule in 2017. Individual states, consumer-protection groups, and private law firms have also filed multiple high-stakes lawsuits for breaches.
In April 2017, OCR settled with The Center for Children’s Digestive Health in Chicago for $31,000. The provider contracted with a vendor for medical records storage, but it did not have an adequate Business Associate Agreement (“BAA”) in place with the vendor. The vendor was sued for throwing paper records of thousands of patients into an unlocked dumpster.
In May 2017, OCR fined Memorial Hermann Health System in Texas $2.4 million because hospital management permitted publication of a press release that included a patient’s name without their consent. The hospital must revise its policies and procedures and train its employees on compliance with HIPAA.
In June 2017, a New York company, CoPilot Provider Support Services, Inc. agreed to pay $130,000 to the state for its violation of state notification law following a data breach of 221,178 patient records.
Given heightened concerns and scrutiny about privacy rights and protections in general, the courts across the country are considering some unique circumstances involving healthcare providers and other covered entities.
In August 2017, a federal class action lawsuit was filed in the U.S. District Court in Pennsylvania claiming that Aetna mailed 12,000 letters in 23 states that included outwardly visible HIV-status related information of its insureds.
On September 05, 2017, a Kentucky Court of Appeals upheld a lower court’s dismissal of a nurse’s claims of wrongful termination following an alleged HIPAA violation. The nurse claimed that she complied with HIPAA and that the disclosure complained of was at most, “incidental.” The nurse had indicated to co-workers that a patient had Hepatitis C within hearing of other patients. The higher court’s ruling demonstrates support for hospitals making efforts to comply with the applicable laws and protect patients’ privacy rights.
On September 12, 2017, a patient sued Mount Sinai St. Luke’s Hospital in New York for faxing his PHI to his employer. St. Luke’s specializes in services for individuals living with HIV or AIDS and other chronic diseases. The patient is claiming significant damages from the improper disclosure, including having to quit his job. OCR has already fined the hospital $387,000, a weighty fact which may come into play if the case proceeds to trial.
Recent HIPAA and privacy law news reinforces the fact that healthcare providers simply cannot be too careful in complying with federal and state law and creating and enforcing effective internal policies and procedures. The consequences for violations can amount to far more than a small fine and a slap-on-the-wrist.
Our attorneys have extensive experience with privacy law in the healthcare setting. Please contact me if you would like to discuss your organization’s needs in connection with HIPAA or Texas State privacy laws.