Category: HITECH

HIPAA/HITECH Data Breaches and Class Action Exposure?

A new adverse consequence for violations of HIPAA requirements for the security of protected health information and data may be emerging.  On February 28, 2014 the United States District Court for the District of Southern Florida entered an Order Granting a Motion for Final Approval of Class Action Settlement in Curry v. AvMed, Inc., Civil Action No. 10-cv-24513.  The District Court’s approval of the $3 million settlement is the conclusion of a litigation that had initially been dismissed for failure to state a cognizable injury by predicating recovery upon the spectre of injury in the form of heightened likelihood of identity theft rather than injury in fact and that the expenditure of time and money to combat future identity theft was not sufficient.  The case had gone to the Eleventh Circuit Court of Appeals which reversed and remanded the matter.  Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012).  The settlement in effect implemented the approach promulgated by the Court of Appeals.

Violations of HIPAA’s requirements for security of protected health information as reinforced by the more recent HITECH and Omnibus Rule provisions have been drawing increasing scrutiny and severe enforcement from the Office of Civil Rights.  The $1.7 million settlement with WellPoint for security violations and the $1.2 million settlement with Affinity Health Plan for returning a leased photocopier without erasing the data on the hard drives are only recent instances of this phenomenon.  In addition to the substantial penalties that accrue at up to $50,000 per violation with each involved patient being a separate violation, there are the costs associated with the data breach notification requirements and the resultant negative publicity.

Civil lawsuits, especially in the form of federal class action claims, have not been a meaningful danger.  The lack of a private right of action for HIPAA violations is firmly entrenched.  The requirements for standing in a federal class action have worked to preclude most consumer litigation alleging data breach.  According to Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), actual or imminent injury is necessary for Article III standing in a federal lawsuit and not simply the potential for injury.  Clapper was not a data breach claim but its analysis is applicable.  In addition, the Class Action Fairness Act of 2005, 28 U.S.C. § 1332(d) gives the district courts original jurisdiction over putative class actions where minimal, even if not complete, diversity of citizenship exists.  The Act permits removal of a lawsuit from state to federal court where there is a class of more than 100 people and the aggregate claims are more than $5 million, even if only state law claims are being made.  Thus, data breach cases are routinely removed to federal court which has been notably less hospitable to such claims.  However, data breach class actions may still be brought in state court.  Indeed, the Supreme Court recently held on January 14, 2014 that actions brought by state attorneys general are not removable to federal court. See Mississippi ex rel. Hood v. AU Optronics Corp., 134 S. Ct. 736 (2014).  This would include civil damage actions pursuant to HITECH for HIPAA privacy and security regulations by covered entities and business associates.  See generally 42 U.S.C. § 1320d-5(d).

The factual scenario in Resnick v. AvMed is unfortunately too familiar and recurrent.  Laptops with unencrypted protected health information of over a million health plan members were lost.  The court of appeals held that the pleading alleging that plaintiffs had experienced no identity theft before the data and discovered instances of identity theft about a year after the loss of the laptops set forth a sufficient cognizable injury with sufficient facts to allow a plausible inference that AvMed’s failure to secure the data resulted in identity thefts regarding the plaintiffs and that there was a sufficient nexus between the data breach and the identity theft.  The claims in Resnick were not based on HIPAA or HITECH provisions but rather Florida law.  However, a number of cases have used the HIPAA regulations as a “standard of care” for purposes of state law breach of confidentiality claims.

The February 2014 approval of the class action settlement may be the precursor of a lower threshold for data breach claims.  In contrast is the decision in the District of New Jersey in Polanco v. Omnicell, Inc., 2013 WL 6823265 (D.N.J. Dec. 26, 2013), in which a class action was dismissed for lack of injury-in-fact.  This was another lost laptop case, with PHI for thousands of patients that had been provided to a vendor of medication control and dispensing systems.  An employee’s laptop with this unencrypted information was stolen from a parked car.   The defendants included several hospitals and healthcare systems to which patients had provided their personal information while seeking healthcare treatment. (McElroy, Deutsch, Mulvaney & Carpenter, LLP was counsel of record for one of the defendants in the lawsuit).

Relying on Clapper, Judge Hillman found that plaintiffs had failed to allege sufficient injury-in-fact so as to have standing to bring the lawsuit in federal court.  The court found that Clapper was “controlling.”  In his opinion, Judge Hillman rejected the attempt by plaintiff to distinguish Clapper and claim that the current matter was not a data breach case.  Plaintiff asserted that the data breach had revealed that at least one of the hospitals was not HIPAA-compliant and that it continued in a failure to take corrective steps to prevent further dissemination and to compel the institutions to purge their records of her PHI.  The court noted that there was no private action under HIPAA and the enforcement responsibility rested with the Secretary of Health and Human Services.  Citing the Third Circuit decision in Reilly v. Ceridian Corp., 664 F.3d 38 (3rd Cir. 2011), it rejected the contention that time and expense for monitoring the consequence of the alleged data breach satisfied the injury requirement.   The court dismissed the complaint without prejudice based on lack of subject matter jurisdiction.

The Eleventh Circuit opinion in Resnick was issued before the SCOTUS opinion in Clapper.  Although the approval of the class action by the Florida District Court suggests a continuing vitality to the Resnick approach to standing and injury, decisions such as Polanco call into question whether it is still good law.  That remains to be seen.  But what is clear – and has been for some time – is that the costs associated with encrypting data are small in comparison to the costs of litigation, breach notification protocols, and potential penalties arising from failure to comply with HIPAA and HITECH.

According to OCR Deputy Director Covered Entitles and Business Associates Can Expect More HIPAA “Compliance and Enforcement” Action from OCR in 2014

In remarks at the HIMSS 14, the flagship conference and exhibition by the Healthcare Information and Management Systems Society, Susan McAndrew, Deputy Director for Health Information Privacy at the Department of Health and Human Services’ Office for Civil Rights (OCR), stated that for the coming year 2014, “compliance and enforcement is really where the action is going to be,” as far as OCR is concerned.  According to McAndrew, this includes “investigating our new friends, business associates,” who under the 2013 HIPAA Omnibus Rule, may also be liable for data breaches.  In earlier blog entries, we anticipated OCR’s intention to step-up auditing and enforcement efforts of covered entities and business associates in 2014.

In addition, McAndrew highlighted her agency’s interest in insuring patient access to their healthcare records, including electronic data. Under the Omnibus Rule’s amendments to HIPAA and other changes to the Clinical Laboratory Improvement Amendments (CLIA), patients have expanded rights to electronic access of health information and laboratory results.

That same day, HHS provided notice in the Federal Register of its OCR’s intent to collect information from HIPAA – covered entities and business associates for the purpose of conducting pre-audit screenings.   These surveys will gather information about covered entities and business associates to enable OCR to assess their size, complexity, and fitness for an audit.  It is estimated that approximately 1,200 covered entities and business associates will be contacted.

At this time, comments are being accepted concerning:  (1) the necessity and utility of the proposed information collection for the proper performance of OCR’s functions; (2) the accuracy of the estimated burden of 30 to 60 hours, per respondent; (3) ways to enhance the quality, utility, and clarity of the information to be collected; and (4) the use of automated collection techniques or other forms of information technology to minimize the information collection burden.

Every covered entity and business associate, as well as any other business or individual that handles protected health information should have a rigorous compliance program in place which is regularly audited and reevaluated in light of changes in the law and industry best practices.  For more information contact our Healthcare Practice Group.

HHS’s notice is available on the web at:  http://www.gpo.gov/fdsys/pkg/FR-2014-02-24/pdf/2014-03830.pdf

2014 HIPAA and HITECH Enforcement Outlook: FTC Flexes Consumer Protection Muscle Against Provider after Data Breach, OIG Spurs OCR to Strengthen Security Rule Enforcement

Providers who experience significant data breaches in 2014 should be prepared to deal with possible enforcement actions by the Federal Trade Commission (FTC) as well as enhanced enforcement of the Security Rule from the Office of Civil Rights (OCR).

In May 2008, LabMD, a Georgia-based provider of laboratory testing services, was informed by a third-party that some of LabMD’s internal documents were publicly available through the “Limewire” peer-to-peer (P2P) file sharing application.  LabMD’s investigation revealed that this program had been downloaded and installed on one of its computers by an employee who wanted to listen to music while working.  By doing this, the employee exposed numerous proprietary documents that included names, addresses, dates of birth, social security numbers, CPT codes and other personal health information to anyone using the P2P network.

In August 2013, the FTC brought a formal complaint against LabMD based upon this data breach, alleging that LabMD’s “failure to employ reasonable and appropriate measures to prevent unauthorized access to personal information, including dates of birth, SSNs, medical test codes, and health information, caused, or is likely to cause, substantial injury to consumers” and constituted an “unfair act” affecting commerce.

The FTC also claimed that LabMD’s “fundamental, systemic security failures… put at risk consumers’ sensitive personal and health information,” relying on the fact that information concerning individuals who had received services at LabMD was found in the possession of a California identity theft ring.

While LabMD addressed the Limewire vulnerability in short order, the FTC pushed for much harsher sanctions including the implementation of a far-reaching data security plan which would be subject to periodic outside audit and certification for the next 20 years.  LabMD vigorously resisted the FTC’s demands, arguing that the agency lacked jurisdiction to regulate patient data security practices.  While it is true that such issues are usually the province of the Department of Health and Human Services which oversees HIPAA and HITECH compliance, the FTC maintained that such authority is not exclusively vested in HHS, and that the FTC possessed “concurrent and complimentary jurisdiction to protect consumers’ sensitive health information.”  Unfortunately for LabMD its argument was rejected in January 2014.  Soon thereafter, LabMD announced it would cease accepting new specimens and begin winding down operations.

This decision which appears to signal the FTC’s determination to broaden the scope of its enforcement actions comes on the heels of a November 2013 report from the Office of Inspector General (OIG) which recommended that the OCR revise procedures to more efficiently and effectively accomplish its mandate under HITECH that it “provide for periodic audits to ensure” Security Rule compliance.

The FTC’s final order and opinion concerning LabMD is available at: http://www.ftc.gov/system/files/documents/cases/140130labmdorder.pdf

The OIG’s November 2013 report concerning the OCR’s oversight and enforcement responsibilities under HIPAA and HITECH is available at:  https://oig.hhs.gov/oas/reports/region4/41105025.asp