Volume 22 Number 22, December 2, 2002
(Excerpted From Page 6)
HIPPA ENFORCEMENT SEEN COMING
FROM PRIVATE LAWSUITS, NOT HHS
Although new medical privacy rules,
which take effect next April 14, do not create a right for patients
to sue, they potential could increase the number of lawsuits against
health care providers and payers over wrongful disclosures and security
breaches, according to legal experts.
Given that the federal agency overseeing it
already has announced it would not be proactive in enforcing the
new rules, some experts see private litigation playing a more significant
enforcement role. Last month, Ruben King-Shaw Jr., deputy administrator
of the Dept. of Health and Human Services, announced that the agency
would not initiate investigations and would only respond to complaints
(see Privacy Times, Vol. 22 No. 21, November 17, 2002.)
"Indeed, the plaintiffs bar is keenly
anticipating the opportunities that HIPAA presents, calling HIPAA
litigation the next "tobacco litigation," "breast
implant litigation," etc," said Leigh-Ann M. Patterson, a partner
with Boston's Nixon Peabody, at the Fifth National HIPAA Summit
in Baltimore, November 1.
Experts say there are two major reasons why
the rules, known as the Health Insurance Portability and Accounting
Act (HIPAA), could result in more litigation. First, the rules do
not preempt State privacy, unfair practices or tort laws that may
already create a private right of action. Second, they establish
a nationwide "standard of care" that most providers and payers will
be required to follow.
PRIVACY TIMES/December 2, 2002 Page
Lisa Vance, a San Antonio attorney who
represents physicians' offices and rural hospitals, predicted HIPAA
would figure prominently in litigation, particularly in States like
Texas that have pro-patient privacy laws.
"Although the Office for Civil Rights alone enforces
HIPAA, the enactment of the law itself establishes duties, contracts
and warranties between patients
and their health care providers. Any breach of these would
warrant a viable cause of action for a damaged patient. In
Texas, the risks are higher for health care providers, because the
Texas Medical Records Privacy Act is more stringent than HIPAA,"
"Some of these low-stakes cases are beginning to
incorporate HIPAA into their state-law claims and theories of liability
for invasion of privacy, notwithstanding the fact that HIPAA does
not create a private right of action. One court has already recognized
that HIPAA sets a national standard of care," Patterson said.
Linda Malek, an attorney with the New York firm
of Moses & Singer, has written extensively about HIPAA rules
and summarized them as requiring:
- Written policies and notification of those policies
and practices to patients
- Patient right to access his or her record, and
the right to correct errors
- Use of "minimum necessary" data for various functions
- Designation of entity official responsible for
- Training, internal safeguards, a complaint process,
sanctions for violations and mitigation procedures
- Compliance by "business associates" and employers
acting as "plan sponsors"
Leigh-Ann Patterson, the Nixon Peabody partner,
foresees both "low-stakes" exposure, involving a single plaintiff
and an isolated breach, and "high-stakes" exposure. The latter can
involve inadvertent mass disclosure due to poor security, or failure
to follow ones own privacy policies and procedures, or medical
data abuses or breaches by business associates.
She said a third category is known as "mass
torts" litigation, involving a large number of plaintiffs who
have been harmed by a single defendant. (Patterson is representing
Warner-Lambert., the pharmaceutical company, in a pending invasion-of-privacy
class-action against the CVS Pharmacy Chain and other drug companies
over mailings to CVS customers.)
HIPAA and medical privacy issues lend themselves
to high-stakes litigation both because of the ease of disclosure
electronic data and the sensitivity of the information.
"First, gone are the days of medicine in a manila
folder. . . . While technological advances arguably improve health
care delivery, the ease of collection, storage, and transmission
of data over electronic networks poses a threat to patient confidentiality
and privacy," she said.
"Second, health care information is perhaps
the most intimate, private, and sensitive type of information maintained
about a person. . . . Used improperly, disclosure can damage ones
reputation or be used for discriminatory purposes in the employment
context. The sensitivity of
Page 8 PRIVACY TIMES/December
this type of information makes medical
privacy an emotionally-charged topic, which naturally lends itself
to the high-stakes deterrence game."
For a security violation or a breach by a business
associate, plaintiffs lawyers "might use the satisfactory
assurance requirement in connection with a state law negligence
claim by patients for wrongful disclosure of PHI," Patterson said.
They might argue that the covered entity owed a duty of care to
the patient to ensure that personal data was not negligently entrusted
with a third-party who failed to take appropriate steps to safeguard
it. The applicable standard of care would likely be the prudent
behavior standard, which plaintiffs lawyers could be expected
to argue is enhanced by the HIPAA statutory standard of "satisfactory
assurance." They might also argue that HIPAA requires covered
entities to exercise a certain amount of due diligence in scrutinizing
its business associates security practices.
Patterson recommended that covered entities
be pro-active and not defensive, approach privacy from the patients
perspective and build a strong privacy infrastructure.