Volume 22 Number 22, December 2, 2002

(Excerpted From Page 6)

Although new medical privacy rules, which take effect next April 14, do not create a right for patients to sue, they potential could increase the number of lawsuits against health care providers and payers over wrongful disclosures and security breaches, according to legal experts.

Given that the federal agency overseeing it already has announced it would not be proactive in enforcing the new rules, some experts see private litigation playing a more significant enforcement role. Last month, Ruben King-Shaw Jr., deputy administrator of the Dept. of Health and Human Services, announced that the agency would not initiate investigations and would only respond to complaints (see Privacy Times, Vol. 22 No. 21, November 17, 2002.)

"Indeed, the plaintiffs’ bar is keenly anticipating the opportunities that HIPAA presents, calling HIPAA litigation the next "tobacco litigation," "breast implant litigation," etc," said Leigh-Ann M. Patterson, a partner with Boston's Nixon Peabody, at the Fifth National HIPAA Summit in Baltimore, November 1.

Experts say there are two major reasons why the rules, known as the Health Insurance Portability and Accounting Act (HIPAA), could result in more litigation. First, the rules do not preempt State privacy, unfair practices or tort laws that may already create a private right of action. Second, they establish a nationwide "standard of care" that most providers and payers will be required to follow.

Lisa Vance, a San Antonio attorney who represents physicians' offices and rural hospitals, predicted HIPAA would figure prominently in litigation, particularly in States like Texas that have pro-patient privacy laws.

"Although the Office for Civil Rights alone enforces HIPAA, the enactment of the law itself establishes duties, contracts and warranties between patients and their health care providers.  Any breach of these would warrant a viable cause of action for a damaged patient.  In Texas, the risks are higher for health care providers, because the Texas Medical Records Privacy Act is more stringent than HIPAA," Vance said.

"Some of these low-stakes cases are beginning to incorporate HIPAA into their state-law claims and theories of liability for invasion of privacy, notwithstanding the fact that HIPAA does not create a private right of action. One court has already recognized that HIPAA sets a national standard of care," Patterson said.

Linda Malek, an attorney with the New York firm of Moses & Singer, has written extensively about HIPAA rules and summarized them as requiring:

• Written policies and notification of those policies and practices to patients
• Patient right to access his or her record, and the right to correct errors
• Use of "minimum necessary" data for various functions
• Designation of entity official responsible for privacy;
• Training, internal safeguards, a complaint process, sanctions for violations and mitigation procedures
• Compliance by "business associates" and employers acting as "plan sponsors"

Leigh-Ann Patterson, the Nixon Peabody partner, foresees both "low-stakes" exposure, involving a single plaintiff and an isolated breach, and "high-stakes" exposure. The latter can involve inadvertent mass disclosure due to poor security, or failure to follow one’s own privacy policies and procedures, or medical data abuses or breaches by business associates.

She said a third category is known as "mass torts" litigation, involving a large number of plaintiffs who have been harmed by a single defendant. (Patterson is representing Warner-Lambert., the pharmaceutical company, in a pending invasion-of-privacy class-action against the CVS Pharmacy Chain and other drug companies over mailings to CVS customers.)

HIPAA and medical privacy issues lend themselves to high-stakes litigation both because of the ease of disclosure electronic data and the sensitivity of the information.

"First, gone are the days of medicine in a manila folder. . . . While technological advances arguably improve health care delivery, the ease of collection, storage, and transmission of data over electronic networks poses a threat to patient confidentiality and privacy," she said.

"Second, health care information is perhaps the most intimate, private, and sensitive type of information maintained about a person. . . . Used improperly, disclosure can damage one’s reputation or be used for discriminatory purposes in the employment context. The sensitivity of

this type of information makes medical privacy an emotionally-charged topic, which naturally lends itself to the high-stakes deterrence game."

For a security violation or a breach by a business associate, plaintiffs’ lawyers "might use the satisfactory assurance requirement in connection with a state law negligence claim by patients for wrongful disclosure of PHI," Patterson said. They might argue that the covered entity owed a duty of care to the patient to ensure that personal data was not negligently entrusted with a third-party who failed to take appropriate steps to safeguard it. The applicable standard of care would likely be the prudent behavior standard, which plaintiffs’ lawyers could be expected to argue is enhanced by the HIPAA statutory standard of "satisfactory assurance." They might also argue that HIPAA requires covered entities to exercise a certain amount of due diligence in scrutinizing its business associates’ security practices.

Patterson recommended that covered entities be pro-active and not defensive, approach privacy from the patient’s perspective and build a strong privacy infrastructure.