HIPAA/HITECH Data Breaches and Class Action Exposure?

A new adverse consequence for violations of HIPAA requirements for the security of protected health information and data may be emerging.  On February 28, 2014 the United States District Court for the District of Southern Florida entered an Order Granting a Motion for Final Approval of Class Action Settlement in Curry v. AvMed, Inc., Civil Action No. 10-cv-24513.  The District Court’s approval of the $3 million settlement is the conclusion of a litigation that had initially been dismissed for failure to state a cognizable injury by predicating recovery upon the spectre of injury in the form of heightened likelihood of identity theft rather than injury in fact and that the expenditure of time and money to combat future identity theft was not sufficient.  The case had gone to the Eleventh Circuit Court of Appeals which reversed and remanded the matter.  Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012).  The settlement in effect implemented the approach promulgated by the Court of Appeals.

Violations of HIPAA’s requirements for security of protected health information as reinforced by the more recent HITECH and Omnibus Rule provisions have been drawing increasing scrutiny and severe enforcement from the Office of Civil Rights.  The $1.7 million settlement with WellPoint for security violations and the $1.2 million settlement with Affinity Health Plan for returning a leased photocopier without erasing the data on the hard drives are only recent instances of this phenomenon.  In addition to the substantial penalties that accrue at up to $50,000 per violation with each involved patient being a separate violation, there are the costs associated with the data breach notification requirements and the resultant negative publicity.

Civil lawsuits, especially in the form of federal class action claims, have not been a meaningful danger.  The lack of a private right of action for HIPAA violations is firmly entrenched.  The requirements for standing in a federal class action have worked to preclude most consumer litigation alleging data breach.  According to Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), actual or imminent injury is necessary for Article III standing in a federal lawsuit and not simply the potential for injury.  Clapper was not a data breach claim but its analysis is applicable.  In addition, the Class Action Fairness Act of 2005, 28 U.S.C. § 1332(d) gives the district courts original jurisdiction over putative class actions where minimal, even if not complete, diversity of citizenship exists.  The Act permits removal of a lawsuit from state to federal court where there is a class of more than 100 people and the aggregate claims are more than $5 million, even if only state law claims are being made.  Thus, data breach cases are routinely removed to federal court which has been notably less hospitable to such claims.  However, data breach class actions may still be brought in state court.  Indeed, the Supreme Court recently held on January 14, 2014 that actions brought by state attorneys general are not removable to federal court. See Mississippi ex rel. Hood v. AU Optronics Corp., 134 S. Ct. 736 (2014).  This would include civil damage actions pursuant to HITECH for HIPAA privacy and security regulations by covered entities and business associates.  See generally 42 U.S.C. § 1320d-5(d).

The factual scenario in Resnick v. AvMed is unfortunately too familiar and recurrent.  Laptops with unencrypted protected health information of over a million health plan members were lost.  The court of appeals held that the pleading alleging that plaintiffs had experienced no identity theft before the data and discovered instances of identity theft about a year after the loss of the laptops set forth a sufficient cognizable injury with sufficient facts to allow a plausible inference that AvMed’s failure to secure the data resulted in identity thefts regarding the plaintiffs and that there was a sufficient nexus between the data breach and the identity theft.  The claims in Resnick were not based on HIPAA or HITECH provisions but rather Florida law.  However, a number of cases have used the HIPAA regulations as a “standard of care” for purposes of state law breach of confidentiality claims.

The February 2014 approval of the class action settlement may be the precursor of a lower threshold for data breach claims.  In contrast is the decision in the District of New Jersey in Polanco v. Omnicell, Inc., 2013 WL 6823265 (D.N.J. Dec. 26, 2013), in which a class action was dismissed for lack of injury-in-fact.  This was another lost laptop case, with PHI for thousands of patients that had been provided to a vendor of medication control and dispensing systems.  An employee’s laptop with this unencrypted information was stolen from a parked car.   The defendants included several hospitals and healthcare systems to which patients had provided their personal information while seeking healthcare treatment. (McElroy, Deutsch, Mulvaney & Carpenter, LLP was counsel of record for one of the defendants in the lawsuit).

Relying on Clapper, Judge Hillman found that plaintiffs had failed to allege sufficient injury-in-fact so as to have standing to bring the lawsuit in federal court.  The court found that Clapper was “controlling.”  In his opinion, Judge Hillman rejected the attempt by plaintiff to distinguish Clapper and claim that the current matter was not a data breach case.  Plaintiff asserted that the data breach had revealed that at least one of the hospitals was not HIPAA-compliant and that it continued in a failure to take corrective steps to prevent further dissemination and to compel the institutions to purge their records of her PHI.  The court noted that there was no private action under HIPAA and the enforcement responsibility rested with the Secretary of Health and Human Services.  Citing the Third Circuit decision in Reilly v. Ceridian Corp., 664 F.3d 38 (3rd Cir. 2011), it rejected the contention that time and expense for monitoring the consequence of the alleged data breach satisfied the injury requirement.   The court dismissed the complaint without prejudice based on lack of subject matter jurisdiction.

The Eleventh Circuit opinion in Resnick was issued before the SCOTUS opinion in Clapper.  Although the approval of the class action by the Florida District Court suggests a continuing vitality to the Resnick approach to standing and injury, decisions such as Polanco call into question whether it is still good law.  That remains to be seen.  But what is clear – and has been for some time – is that the costs associated with encrypting data are small in comparison to the costs of litigation, breach notification protocols, and potential penalties arising from failure to comply with HIPAA and HITECH.

Affordable Care and the Continuing Debate on Malpractice Damages Caps

The Affordable Care Act contains only a passing reference to malpractice tort reform in a section providing the “sense of the Senate” as well as establishing funding for pilot programs at the state level.  Lobbying efforts to achieve any significant tort reform measures were unsuccessful.  Those efforts included the pursuit of a federal cap on medical malpractice awards.  Such efforts at both the federal and state levels can be traced to the 1975 innovation in California with its passage of the Medical Injury Compensation Reform Act (“MICRA”) limiting noneconomic damages to $250,000.  California’s MICRA has withstood court challenges to its constitutionality.  A number of other states followed similar paths to that taken in California, enacting various iterations of the MICRA model; no such legislation has been enacted in New Jersey although such bills have been introduced in the legislature.   While some state courts around the country have upheld such legislation against constitutional attacks, there are several states that have found the legislation to violate several different constitutional guarantees.

The intensity of the debate over damages caps waxes and wanes.  Renewed activity is likely to be sparked by a March 24, 2014 ballot initiative in California to raise the cap amount from $250,000 to $1.1 million and an opinion filed March 13, 2014 by the Florida Supreme Court.  In Estate of McCall v. United States, 2014 WL 959180 (Fl. 2014), the court ruled that that state’s statutory cap enacted in 2003 limiting the wrongful death noneconomic damages that could be recovered in a medical malpractice case was an unconstitutional violation of the equal protection clause of the Florida constitution.  Five of the seven justices agreed with that conclusion but fractured over the reasoning to get to it.  The opinion for the court was actually a plurality decision rather than a majority.  There were two justices who dissented as to the entirety of the decision and who would have deferred to the legislature’s policy choice of enacting a cap of $1 million on noneconomic damages in medical malpractice cases involving death as being rationally related to legitimate state interests of decreasing medical malpractice insurance rates and increasing the affordability and availability of health care in Florida.

The issue in the case arose out of the prenatal care given to a patient at a United States Air Force clinic who was suffering from preeclampsia.  There was an extended delay in performing an emergency cesarean section.  Although a healthy baby was born, the mother went into shock and cardiac arrest.   The woman never regained consciousness and died four days later.   A lawsuit was filed under the Federal Tort Claims Act which provides that damages are determined by the law of the state where the tortious act was committed.  Sitting without a jury in accordance with the Federal Tort Claims Act, the trial judge determined that the economic damages for financial losses were in the amount of $980,462.40 and that there were noneconomic damages of $2 million in favor of the surviving family members.   The trial judge then proceeded to reduce the noneconomic damages recovery to $1 million pursuant to the Florida statutory cap for medical malpractice matters.   The trial judge rejected challenges to the constitutionality of the damages cap.  On appeal, the Eleventh Circuit rejected several components of the plaintiff’s constitutional challenges.  Estate of McCall ex rel McCall v. United States, 642 F.3d 944 (11th Cir. 2011).  These included the alleged violations of the Fourteenth Amendment’s Equal Protection Clause.  (The United States Supreme Court had declined to review constitutional challenges to California’s MICRA in Fein v. Permanente Medical Group, 474 U.S. 892 (1985) dismissing the appeal “for want of a substantial federal question.”). With regard to state constitutional challenges, the Court of Appeals concluded that there was inadequate state precedent and it used an available procedure to certify questions directly to the Florida Supreme Court.   It identified four questions to be addressed but the Florida Supreme Court chose to answer only one, which it rephrased in terms of the wrongful death noneconomic damages and equal protection.  Since the court found the constitution was violated, it did not need to address the remaining alternative grounds of challenge.  It emphasized the wrongful death claim as being of statutory nature and unknown at common law.  It did not address the constitutional status of the damages cap in a non-wrongful death context.

The equal protection deficiencies with damages caps have been articulated in various ways.  These include an arbitrary distinction between injured victims of medical negligence and persons injured through other forms of negligence or tortuous conduct and distinguishing the recovery available for a slightly injured person from that available for a severely injured person.  Interference with the right to a jury trial to resolve the extent of any damages award has also been involved.  The assessment of governmental purposes of reducing costs and assuring access to care has been subject to differing levels of scrutiny, affecting the conclusion reached by various courts.

While New Jersey does not have a statute generally applying to recoverable damages in medical malpractice cases, it has long had a statute limiting recoverable damages in malpractice claims against nonprofit hospitals.  N.J.S.A. 2A:53A-8.  As originally enacted this limit was $10,000.  The statute was amended in 1991 to increase the recoverable amount to $250,000.  This limitation only applies to the institution and not to employees or agents who can be identified as culpable actors.   The constitutional validity of N.J.S.A. 2A:53A-8 was challenged but upheld in Edwards v. Our Lady of Lourdes Hosp., 217 N.J. Super. 448 (App. Div. 1987).  The court noted that the limitation on the hospital liability was an exception to the complete immunity afforded to charitable institutions in a preceding statutory provision.  The constitutionality of the statute was again challenged in Johnson v. Mountainside Hosp., 239 N.J. Super. 312 (App. Div.), certif. denied, 122 N.J. 188 (1990).   Plaintiff argued that the statute was “special legislation” and violated the due process and equal protection clauses of the federal constitution and the comparable protections of the New Jersey constitution.  The intermediate appellate court upheld the statute’s constitutionality and further review was denied by the New Jersey Supreme Court.

There currently are bills pending in the New Jersey legislature that would cap recoverable noneconomic damages in a professional negligence action against a “health care provider” at $250,000.  Similar bills have been introduced in prior sessions but not been released from committee.  There is substantial literature looking at the impact of tort reform with damages caps on lowering direct and indirect costs of medical care and the access to health care.

Engaging in an analysis of malpractice tort reform – whether in the form of damages caps or otherwise – is likely to be critical to the full implementation of the Affordable Care Act.

Limitation On Medical Malpractice Insurers’ Ability to Cancel Coverage

In a precedential opinion filed on January 22, 2014 in DeMarco v. Stoddard, the intermediate appellate court of the New Jersey Superior Court ruled that a malpractice insurer could not deny coverage for an insured who had made material misrepresentations in obtaining his insurance policy.  This is the first published opinion in New Jersey addressing broadly the implications of the mandatory nature of medical malpractice insurance in the state.

While physicians have long obtained professional liability insurance coverage as a matter of prudent financial planning, such coverage was not required in New Jersey until 1998 when the Legislature enacted a statutory requirement that a physician with an office in the state and having patient care responsibilities was to be covered by malpractice insurance or a posted letter of credit.  See N.J.S.A. 45:9-19-17.  In 2004 N.J.S.A 45:9-19-17 was amended to require a specific amount of malpractice insurance as a minimum – $1 million – to be maintained by a physician with patient responsibilities.

In DeMarco the court dealt with a malpractice claim that was brought by a patient against a podiatrist.  The defendant podiatrist had obtained insurance coverage through the Medical Malpractice Joint Underwriting Association of Rhode Island encompassing the period of 2007 through 2011.   Dr. Stoddard was licensed in both Rhode Island and New Jersey.  He had a Rhode Island office address that was included in his application.  He also indicated that “at least 51%” of his practice was generated in Rhode Island.  That statement was false.  The false statement was repeated in renewal applications.

In September 2010 Dr. Stoddard performed surgery on the patient DeMarco in New Jersey.  The patient had difficulties and his condition worsened.  He came under the treatment of another provider and eventually filed suit in October 2011.  Dr. Stoddard forwarded notice of the suit to the Rhode Island JUA for defense.  It responded that it would not provide a defense if more than half his practice were in New Jersey and considered the policy void because of the misrepresentations.  The patient’s attorney sought a declaratory judgment as to the JUA’s obligation to defend and indemnify Dr. Stoddard.  This was granted in the patient’s favor by the trial judge.

The Appellate Division affirmed. The court viewed the statutory requirement for medical malpractice insurance as the equivalent to the financial responsibility provisions of mandatory automobile insurance in New Jersey. The court noted that New Jersey requires that doctors carry malpractice insurance of at least $1 million coverage per occurrence, or if insurance coverage is not available, doctors must demonstrate their financial responsibility with a letter of credit of at least $500,000.   There is a similar requirement for podiatrists found in N.J.S.A. 45:5-5.3(a).  It quoted the legislative history that these laws were enacted to “ensure the citizens of the State that they will have some recourse for adequate compensation in the event that a physician or podiatrist is found responsible for acts of malpractice.”