Legal News about HIPAA and Healthcare Compliance

Proliance Surgeons Sued Over Ransomware Attack and Data Breach

Posted by Steve Alder

A class action lawsuit has been filed against Proliance Surgeons, a Seattle, Washington-based surgery group over a recently disclosed ransomware attack and data breach that has affected almost 437,400 individuals.

The group operates around 100 surgery centers in the state and treats more than 800,000 patients each year. On May 24, 2023, a third-party forensic investigation into a cyberattack confirmed that hackers had access to files containing patient data and that they had removed “a limited number of files” from its network on February 11, 2023.  The data compromised in the attack included names, contact information, Social Security numbers, financial information, treatment information, driver’s license numbers, and usernames and passwords. Notifications were issued on November 21, 2023.

A lawsuit has been filed in federal court in Seattle by plaintiff and former patient, Alicia Berend, and similarly situated individuals whose sensitive information was compromised in the cyberattack. The lawsuit alleges Proliance Surgeons failed to adequately protect patient data as required by federal and state law and in accordance with its internal security policies, and that the data security failures constituted a violation of the Health Insurance Portability and Accountability Act (HIPAA).

The lawsuit also references an earlier security breach where unauthorized individuals had access to its online payment system for seven months between November 2019 and June 2020, allowing access to be gained to names, zip codes, and payment card information. Following that incident Proliance Surgeons said it would be enhancing its security measures to prevent similar incidents in the future. The earlier security breach is not shown on the HHS’ Office for Civil Rights (OCR) website, which indicates either the breach was not reported to OCR, that Proliance Surgeons determined protected health information had not been compromised, or the breach affected fewer than 500 individuals. The lawsuit claims that two major security breaches in a little over 3 years demonstrates a pattern of negligence with respect to data security.

The lawsuit also takes issue with the length of time taken to discover that patient data was involved, which occurred 102 days after the security breach was detected, and Proliance Surgeons then failed to issue notification letters to the affected individuals until November 21, 2023 – 283 days after the data breach occurred. The lawsuit claims that the plaintiff and class were kept in the dark about the breach, thus depriving them of the opportunity to mitigate their injuries in a timely manner.

The lawsuit claims the plaintiff and class have suffered widespread injury and monetary damages, and that the plaintiff has already suffered from identity theft and fraud. She has received emails indicating someone has used her identity for various out-of-state activities, including inquiries into properties in Florida, and has also received an increased number of spam messages and phone calls and now fears for her personal and financial security. The plaintiff claims that she has suffered anxiety, sleep disruption, stress, fear, and frustration and that these injuries go far beyond mere worry or inconvenience.

The lawsuit alleges negligence, breach of implied contract, breach of fiduciary duty, invasion of privacy, unjust enrichment, and violations of the Washington Consumer Protection Act, Washington Data Breach Disclosure Law, and Washington Uniform Health Care Information Act (UHCIA). The lawsuit seeks class action certification, a jury trial, compensatory, exemplary, punitive, and statutory damages, and attorneys’ fees and legal costs.

The plaintiff and class are represented by Samuel J. Strauss of the law firm, Turke & Strauss LLP.

The post Proliance Surgeons Sued Over Ransomware Attack and Data Breach appeared first on HIPAA Journal.

Iowa Community HomeCare Sued over March 2023 Ransomware Attack

Posted by Steve Alder

UI Community HomeCare and UI Community Medical Services, which are subsidiaries of University of Iowa (UI) Health Care, are being sued by a former employee and a patient over a March 2023 ransomware attack and data breach. The data breach was disclosed by IU Health Care in May 2023, but occurred in March 2023 and affected its subsidiaries. Iowa Community HomeCare discovered the security breach on March 23, 2023, when files on its network were encrypted. The investigation confirmed there had been unauthorized access to files containing sensitive data on March 23, 2023.

Personal and protected health information was exposed, and potentially stolen, such as names, birthdates, addresses, phone numbers, medical record numbers, referring physician names, dates of service, health insurance information, billing and claims information, medical history information, and diagnosis/treatment information. At the time of issuing notifications, Iowa Community HomeCare had identified no attempted or actual misuse of the stolen data. The data breach was reported to the HHS’ Office for Civil Rights as affecting up to 67,897 individuals.

The lawsuit was filed against UI Community HomeCare and UI Community Medical Services and claims the attack and data breach could have been prevented if the defendants had implemented appropriate security measures. While security measures had been implemented, the lawsuit alleges the defendants willfully avoided their data security obligations at the expense of plaintiffs and class members by utilizing cheaper, ineffective security measures.

The defendants are also alleged to have failed to disclose to patients that substandard cybersecurity measures were in place and vulnerabilities had not been addressed, which led the plaintiffs and class members to believe their sensitive information would be adequately protected when making decisions about purchasing and availing of the defendants’ services. As such, the plaintiffs claim that the defendants’ profits, benefits, and other compensation were obtained improperly and that the defendants are not legally entitled to retail any of the benefits, compensation, or profits realized from their transactions.

The lawsuit names Becky Kaefring and Kimberly Sullivan as plaintiffs. Kaefring worked for UI Community HomeCare between 2003 and 2019 and Sullivan’s child received health care services from UI Community HomeCare. The plaintiffs allege they have suffered injuries as a result of the data breach including lost time, annoyance, interference, inconvenience, and anxiety about the exposure of their sensitive data, and that they are faced with the burden of having to closely monitor for identity theft and fraud for years to come.

Kaefring alleges negligence, negligence per se, breach of implied contract, unjust enrichment, invasion of privacy, and breach of fiduciary duty and Sullivan alleges negligence, breach of implied contract, breach of implied covenant of good faith and fair dealing, and unjust enrichment. The lawsuit seeks class action certification, damages, a refund, and injunctive relief, including an order from the court compelling the defendant to make substantial improvements to security.

The post Iowa Community HomeCare Sued over March 2023 Ransomware Attack appeared first on HIPAA Journal.

Kroger Sued for Disclosing Pharmacy Patient Data via Meta Pixel Tool

Posted by Steve Alder

The supermarket chain, Kroger, is being sued over the alleged unlawful practice of using tracking technologies on its website to collect the sensitive data of its customers and impermissibly disclosing that information to third parties such as Meta Platforms. The lawsuit was filed in the U.S. District Court of the Southern District of Ohio, Western Division, on behalf of the anonymous plaintiff, Jane Doe, and other similarly situated individuals whose privacy was violated. The lawsuit alleges that patients of the Kroger pharmacy were not made aware that their personal information was being collected and disclosed to third parties. According to the lawsuit, “[The website Kroger.com] surreptitiously manipulated their web browsers, thereby causing their communications with the Defendant via the Website to be shared and/or intercepted by unauthorized third parties.”

Individuals who used the Kroger.com website to submit prescriptions disclosed confidential health information on the site such as the names of their prescription medications, the dosage and form of the medications, and more. From that information, third parties were able to determine, in many cases, the specific type of medical condition they had been diagnosed with, including cancer, HIV, mental health conditions, and pregnancy. Since Meta’s Pixel tracking code connects user data to the user’s individual Facebook ID, the information transmitted to Meta is not anonymous and can be linked to other sensitive information in the user’s Facebook account.

The lawsuit explains that Kroger, as the operator of a pharmacy, is an entity covered and bound by the Rules of the Health Insurance Portability and Accountability Act (HIPAA) and, as such, is not permitted to disclose patient information to third parties without first obtaining consent, unless there is a legitimate reason for doing so and the disclosure is permitted by the HIPAA Privacy Rule. The HHS’ Office for Civil Rights (OCR) confirmed in December 2022 guidance that disclosures of protected health information via tracking technologies on websites and apps are not permitted unless there is a business associate agreement in place or patient authorizations have been obtained. Kroger had neither. While the lawsuit alleged the actions of Kroger violated HIPAA , there is no private cause of action in HIPAA so HIPAA-covered entities cannot be sued for HIPAA violations. The lawsuit alleges there have also been violations of Ohio state law, which expressly prohibits the disclosure of private information without express written consent, and state residents are permitted to sue under Ohio law for violations.

The lawsuit, Jane Doe v. The Kroger Co., alleges a violation of the Electronic Communications Privacy Act, breach of confidence, invasion of privacy/intrusion upon seclusion, breach of implied contract, unjust enrichment, negligence, breach of fiduciary duty, and interception and disclosure of electronic communications. These alleged violations have led to the plaintiff and class members sustaining injuries, including invasion of privacy, loss of benefit of the bargain, diminution of the value of their private information, statutory damages, and the continued and ongoing risk to their private information. The lawsuit seeks class action certification, a jury trial, damages, attorneys’ fees, legal costs, and an order from the courts preventing Kroger from engaging in further unlawful practices.

The attorneys for the plaintiff and class members are Terence R. Coates, Dylan J. Gould, and Spencer D. Campbell of the law firm Markovits, Stock & DeMarco, LLC, and Gary M. Klinger of Milberg Coleman Bryson Phillips Grossman PLLC.

This is one of the latest of many lawsuits that have been filed against healthcare organizations and Meta over the use of tracking technologies. Legal action has also been taken against OCR over its tracking technology guidance, which the lawsuit claims is unlawful.

The post Kroger Sued for Disclosing Pharmacy Patient Data via Meta Pixel Tool appeared first on HIPAA Journal.

HIPAA Enforcement by State Attorneys General

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA compliance; however, state Attorneys General also play a role in enforcing compliance with the Rules of the Health Insurance Portability and Accountability Act (HIPAA).

The Health Information Technology for Clinical and Economic Health (HITECH) Act gave state attorneys general the authority to bring civil actions on behalf of state residents who have been impacted by violations of the HIPAA Privacy and Security Rules and they can obtain damages on behalf of state residents. The Connecticut Attorney General was the first to exercise this right in 2010 against Health Net Inc. for the loss of an unencrypted hard drive containing the electronic protected health information of 1.5 million individuals and for delayed breach notifications. The case was settled for $250,000. The Vermont Attorney General followed suit with a similar action against Health Net in 2011 that was settled for $55,000, and Indiana brought a civil action against Wellpoint Inc. in 2011 that was settled for $100,000.

State attorneys general HIPAA cases were relatively rare occurrences, with only 11 settlements reached with HIPAA-covered entities and business associates to resolve HIPAA violations between 2010 and 2015. HIPAA enforcement by state attorneys general was stepped up in 2017 with 5 settlements and again in 2018 when 12 cases resulted in financial penalties for violations of the HIPAA Rules.

In 2019 and 2020, a total of just 5 cases resulted in financial penalties, although those penalties were sizeable, with four of the five cases being multistate actions against HIPAA-covered entities and business associates where several state attorneys general participated in the actions. These multistate actions allow state attorneys general to pool their resources and investigate potential violations of HIPAA and state laws more efficiently.

2023 was a busy year in terms of enforcement, with 16 enforcement actions to resolve violations of the HIPAA Rules and state consumer protection and breach notification laws. Cases were resolved by the Attorneys General in California, Colorado, Indiana, New York, Ohio, and Pennsylvania and there were three multistate investigations resolved, including a 49-state action against Blackbaud, a 32-stat action against Personal Touch Home Care, and a 4-state action against EyeMed Vision Care. The case against Blackbaud over its 5.5 million-record breach resulted in a penalty of $49.5 million.

When civil actions are brought against covered entities or business associates by state Attorneys General, they are separate from any Office for Civil Rights actions which may also choose to investigate and impose its own fins and penalties. Several data breaches have resulted in settlements being reached at both the federal and state level. Community Health Systems/CHSPSC, Anthem Inc., Premera Blue Cross, Aetna, Cottage Health System, University of Rochester Medical Center, and Medical Informatics Engineering have all settled cases with OCR and separate cases with state attorneys general to resolve potential HIPAA violations.

In many of the state AG enforcement actions below, the financial penalties resolve violations of federal (HIPAA) and/or state laws. Over the years there have been several cases where HIPAA Rules have been violated, but the decision was taken to bring actions for violations of the equivalent provisions in state laws. The cases detailed below include cases where the HIPAA Rules have been violated, but action has been taken for the violation of state laws.

HIPAA Enforcement by State Attorneys General in 2024

Year State Entity Amount Individuals Affected Reason for Investigation Findings
2024 New York Refuah Health Center $450,000 and invest $1.2 million in cybersecurity 260,740 May 2021 ransomware attack Multiple violations of the HIPAA Security Rule, a violation of the HIPAA Breach Notification Rule, and violations of New York Business Law.

HIPAA Enforcement by State Attorneys General in 2023

State attorneys general have imposed three financial penalties for HIPAA violations or equivalent violations of state laws.

Year State Entity Amount Individuals Affected Reason for Investigation Findings
2023 New York New York Presbyterian Hospital $300,000 54,396 Use of pixels and other tracking tools on website Violation of the HIPAA Privacy Rule and New York Executive Law for impermissibly disclosing PHI to third parties.
2023 New York Healthplex $400,000 89,955 (62,922 in New York) Phishing attack Violation of New York’s data security and consumer protection laws (data retention/logging, MFA, data security assessments)
2023 Indiana CarePointe ENT $120,000 48,742 Ransomware attack and data breach Failure to address known vulnerabilities, business associate agreement failure, violations of the Indiana Disclosure of Security Breach Act and Indiana Deceptive Consumer Sales Act
2023 New York U.S. Radiology Specialists Inc. $450,000 198,260, including 92,540 New York residents Cyberattack and data breach Failure to upgrade hardware in a reasonable time frame to address a known vulnerability.
2023 New York Personal Touch Holding Corp $350,000 753,107 Ransomware attack Only had an informal information security program, insufficient access controls, no continuous monitoring system, lack of encryption, and inadequate staff training.
2023 Multistate (32 states and PR) Inmediata $1.4 million 1,565,338 Unsecured server exposed PHI online, breach notifications Failure to implement appropriate safeguards to ensure data security and breach response failures, which violated the HIPAA Security Rule, Breach Notification Rule, and state breach notification laws
2023 Multistate (49 states and DC) Blackbaud $49.5 million 5,500,000 Ransomware attack Violations of the HIPAA Rules regarding safeguards and breach response, and violations of state consumer data protection laws
2023 Colorado Broomfield Skilled Nursing and Rehabilitation Center $60,000 ($25,000 suspended if full compliance with corrective measures) 677 individuals 2 compromised email accounts Violations of the HIPAA Security Rule, state data protection laws, including the Colorado Consumer Protection Act (CCPA)
2023 Indiana Schneck Medical Center $250,000 89,707 individuals Ransomware attack and data breach Violations of the HIPAA Privacy, Security, and Breach Notification Rules. Violations of the Indiana Disclosure of Security Breach Act and the Indiana Deceptive Consumer Sales Act
2023 California Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals $49,000,000 7,700 individuals Improper disposal of hazardous waste, medical waste, and protected health information Violations of HIPAA, California’s Hazardous Waste Control Law, Medical Waste Management Act, Confidentiality of Medical Information Act, Customer Records Law, and Unfair Competition Law.
2023 California Kaiser Permanente $450,000 up to 167,095 individuals Mailing error and PHI disclosure California Confidentiality of Medical Information Act (CMIA) violations – impermissible disclosure of PHI and negligent maintenance or disposal of PHI
2023 New York Practicefirst Medical Management Solutions (Professional Business Systems Inc.) $550,000 1.2 million Ransomware attack and data breach Failure to patch a critical firewall vulnerability for 22 months. No penetration testing or vulnerability scanning, and a lack of encryption for sensitive health data.
2023 Multi-state: Oregon, New Jersey, Florida & Pennsylvania EyeMed Vision Care $2,500,000 2.1 million Ransomware attack and data breach Insufficient password complexity requirements, insufficient locking of accounts after failed password attempts, no multifactor authentication on a browser-accessible email account containing large amounts of PHI, inadequate logging and monitoring of email accounts, and storing unnecessary amounts of PHI in email accounts.
2023 New York Heidell, Pittoni, Murphy & Bach LLP $200,000 61,438 Ransomware attack and data breach Violation of 17 provisions of the HIPAA Privacy and Security Rules
2023 Pennsylvania DNA Diagnostics Center $200,000 33,000 Stolen database containing 2.1 million records Lack of safeguards, failure to update asset inventory, failure to remove assets not used for business purposes.
2023 Ohio DNA Diagnostics Center $200,000 12,600 Stolen database containing 2.1 million records Lack of safeguards, failure to update asset inventory, failure to remove assets not used for business purposes.

This article will be updated as and when new fines, settlements, and other resolutions are announced to resolve violations of HIPAA and state laws.

HIPAA Enforcement by State Attorneys General in 2022

Year State Entity Amount Individuals Affected Reason for Investigation Findings
2022 Oregon and Utah Avalon Healthcare $200,000 14,500 10 Month delay in notifying individuals about a phishing attack and data breach The investigation determined the 10-month delay violated HIPAA (60-day reporting deadline) and Oregon law (45-day reporting deadline), email security practices were found to be insufficient, with the settlement including several data security requirements including the appointment of an individual responsible for developing, implementing, and maintaining a comprehensive data security program to ensure compliance with Consumer Protection Laws and HIPAA, including email filtering, security awareness training, and multifactor authentication.
2022 Aveanna Healthcare Massachusetts $425,000 166,000 Phishing attack and data breach The Massachusetts Attorney General determined there was a lack of appropriate safeguards to prevent phishing attacks, such as multifactor authentication and security awareness training for its workforce. The security measures implemented did not meet the minimum level for compliance with the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts or the HIPAA Security Rule.
2022 New York EyeMed Vision Care $600,000 2.1 million Phishing attack and data breach Insufficient password complexity requirements, insufficient locking of accounts after failed password attempts, no multifactor authentication on a browser-accessible email account containing large amounts of PHI, inadequate logging and monitoring of email accounts, and storing unnecessary amounts of PHI in email accounts.

HIPAA Enforcement by State Attorneys General in 2021

New Jersey was particularly active in HIPAA enforcement in 2021 and was the only state to initiate its own investigations and issue financial penalties to resolve HIPAA violations in 2021. New Jersey also participated in a joint investigation into the data breach at American Medical Collection Agency (AMCA) – One of the largest ever breaches of healthcare data. The AMCA HIPAA case saw a $21 million financial penalty imposed; however, due to the huge costs incurred as a result of the breach, AMCA filed for bankruptcy protection. Due to the financial position of the company, the financial penalty was suspended and will only need to be paid if AMCA defaults on the terms of the settlement agreement.

Year State Entity Amount Individuals Affected Reason for Investigation Findings
2021 New Jersey Regional Cancer Care Associates (Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC) $425,000 105,000 Phishing attack and data breach Failure to ensure the confidentiality, integrity, and availability of PHI, failure to protect against reasonably anticipated threats, failure to implement security measures to reduce risks, failure to conduct an accurate risk assessment, lack of a security awareness and training program.
2021 New Jersey Command Marketing Innovations, LLC and Strategic Content Imaging LLC $130,000 (Plus $65,000 suspended) 55,715 Printing and mismailing incident Failure to ensure the confidentiality of PHI, lack of PHI safeguards, failure to review security measures following changes to procedures
2021 New Jersey Diamond Institute for Infertility and Menopause $495,000 14,663 Hacking incident and data breach Multiple Privacy Rule and Security Rule failures, and violations of the Consumer Fraud Act
2021 Multi-state (41 state attorneys general) American Medical Collection Agency $21 million (suspended) 21 million Hacking incident and data breach Security failures including failure to detect a data breach

HIPAA Enforcement by State Attorneys General in 2020

Year State Entity Amount Individuals affected Reason for Investigation Findings
2020 Multistate (28 states) Community Health Systems / CHSPSC LLC $5,000,000 6.1 million Hacked by Chinese APT group Failure to implement and maintain reasonable security practices
2020 Multistate (43 states) Anthem Inc $39.5 million 78.8 million Phishing attack and major data breach Multiple violations of HIPAA and state laws
2020 California Anthem Inc $8.7 million 78.8 million Phishing attack and major data breach Multiple violations of HIPAA and state laws

HIPAA Enforcement by State Attorneys General in 2019

Year State Entity Amount Individuals affected Reason for Investigation Findings
2019 Multistate (30 states) Premera Blue Cross $10,000,000 10.4 million Hacking incident and major data breach Multiple violations of HIPAA and state laws
2019 Multistate (16 states) Medical Informatics Engineering $900,000 3.5 million Breach of NoMoreClipboard data Multiple violations of HIPAA and state laws
2019 California Aetna $935,000 1,991 2 mailings exposed PHI (Afib, HIV) Impermissible disclosure of sensitive health information

HIPAA Enforcement by State Attorneys General in 2018

Year State Entity Amount Individuals affected Reason for Investigation Findings
2018 Massachusetts McLean Hospital $75,000 1,500 Loss of backup tapes Insufficient risk assessment, failure to encrypt data, delayed breach notifications
2018 New Jersey EmblemHealth $100,000 6,443 (81,000) Mailing error exposed SSNs Impermissible disclosure of PHI, lack of staff training
2018 New Jersey Best Transcription Medical $200,000 1,650 Exposure of ePHI in Internet Risk assessment and risk management failure, breach notification failure
2018 Multistate (CT, NJ, DC) Aetna 640170.59 13,160 2 mailings exposed PHI (Afib, HIV) Impermissible disclosure of sensitive health information
2018 Massachusetts UMass Memorial Medical Group / UMass Memorial Medical Center $230,000 15,000 Multiple data breaches Failure to secure ePHI
2018 New York Arc of Erie County $200,000 3,751 Exposure of ePHI on the Internet Failure to secure ePHI
2018 New Jersey Virtua Medical Group $417,816 1,654 Exposure of ePHI on the Internet Multiple violations of the HIPAA Rules
2018 New York EmblemHealth $575,000 81,122 Mailing error exposed SSNs Impermissible disclosure of PHI, lack of staff training
2018 New York Aetna $1,150,000 12,000 2 mailings exposed PHI (Afib, HIV) Impermissible disclosure of sensitive health information

HIPAA Enforcement by State Attorneys General in 2017

Year State Entity Amount Individuals affected Reason for Investigation Findings
2017 California Cottage Health System $2,000,000 More than 54,000 Exposure of PHI on the Internet Failure to safeguard personal information
2017 Massachusetts Multi-State Billing Services $100,000 2,600 Theft of unencrypted laptop computer Failure to safeguard personal information
2017 New Jersey Horizon Healthcare Services Inc $1,100,000 3.7 million Theft of 2 unencrypted laptop computers Failure to safeguard personal information
2017 Vermont SAManage USA, Inc. $264,000 660 Exposure of PHI on the Internet Failure to secure ePHI, breach notification failure
2017 New York CoPilot Provider Support Services, Inc $130,000 221,178 Delayed breach notification Violation of breach notification requirements

HIPAA Enforcement by State Attorneys General (2010-2016)

Year State Entity Amount Individuals affected Reason for Investigation Findings
2015 New York University of Rochester Medical Center $15,000 3,403 List of patients provided to nurse who took it to a new employer Impermissible disclosure of ePHI
2015 Connecticut Hartford Hospital/ EMC Corporation $90,000 8,883 Theft of unencrypted laptop containing PHI Lack of Business Associate Agreement, failure to encrypt ePHI
2014 Massachusetts Women & Infants Hospital of Rhode Island $150,000 12,000 Loss of backup tapes containing PHI Failure to safeguard ePHI, lack of staff training
2014 Massachusetts Boston Children’s Hospital $40,000 2,159 Loss of laptop containing PHI Failure to encrypt ePHI
2014 Massachusetts Beth Israel Deaconess Medical Center $100,000 3,796 Loss of laptop containing PHI Failure to encrypt ePHI
2013 Massachusetts Goldthwait Associates $140,000 67,000 Mishandling of PHI Improper disposal of PHI
2012 Minnesota Accretive Health $2,500,000 24,000 Mishandling of PHI Failure to safeguard PHI
2012 Massachusetts South Shore Hospital $750,000 800,000 Loss of backup tapes containing PHI Failure to safeguard PHI
2011 Vermont Health Net Inc. $55,000 1,500,000 Loss of unencrypted hard drive/delayed breach notifications Failure to safeguard PHI, violation of breach notification requirements
2011 Indiana WellPoint Inc. $100,000 32,000 Failure to report breach in a reasonable timeframe Violation of breach notification requirements
2010 Connecticut Health Net Inc. $250,000 1,500,000 Loss of unencrypted hard drive Failure to safeguard PHI, violation of breach notification requirements

The post HIPAA Enforcement by State Attorneys General appeared first on HIPAA Journal.

Can A Patient Sue for A HIPAA Violation?

Posted by HIPAA Journal

Yes, a patient can sue for a HIPAA violation and there are an increasing number of class action suits for protected health information data breaches, although not under the provisions of the HIPAA law. There is no private cause of action in HIPAA, so it is not possible for a patient to directly sue for a HIPAA violation under the HIPAA law. Even if HIPAA Rules have clearly been violated by a healthcare provider, and harm has been suffered as a direct result, it is not possible for patients to seek damages, at least not for the violation of HIPAA Laws. So, if it is not possible for a patient to directly sue for a HIPAA violation, does that mean legal action cannot be taken against a covered entity when HIPAA has clearly been violated? While HIPAA does not have a private cause of action, it is possible for patients to take legal action against healthcare providers and obtain damages for violations of state laws.

In some states, it is possible to file a lawsuit against a HIPAA covered entity on the grounds of negligence or for a breach of an implied contract, such as if a covered entity has failed to protect medical records. In such cases, it will be necessary to prove that damage or harm has been caused as a result of negligence or the theft of unsecured personal information.

Taking legal action against a covered entity can be expensive and there is no guarantee of success. Patients should therefore be clear about their aims and what they hope to achieve by taking legal action. An alternative course of action may help them to achieve the same aim.

Filing Complaints for HIPAA Violations

If HIPAA Rules are believed to have been violated, patients can file complaints with the federal government and in most cases complaints are investigated. Action may be taken against the covered entity if the compliant is substantiated and it is established that HIPAA Rules have been violated. The complaint should be filed with the Department of Health and Human Services’ Office for Civil Rights (OCR).

While complaints can be filed anonymously, OCR will not investigate any complaints against a covered entity unless the complainant is named and contact information is provided.

A complaint should be filed before legal action is taken against the covered entity under state laws. Complaints must be filed within 180 days of the discovery of the violation, although in limited cases, an extension may be granted.

Complaints can also be filed with state attorneys general, who also have the authority to pursue cases against HIPAA-covered entities for HIPAA violations.

The actions taken against the covered entity will depend on several factors, including the nature of the violation, the severity of the violation, the number of individuals impacted, and whether there have been repeat violations of HIPAA Rules.

The penalties for HIPAA violations are detailed here, although many complaints are resolved through voluntary compliance, by issuing guidance, or if an organization agrees to take corrective action to resolve the HIPAA issues that led to the complaint. Complaints may also be referred to the Department of Justice to pursue cases if there has been a criminal violation of HIPAA Rules.

Complaints about individuals can also be filed with professional boards such as the Board of Medicine and the Board of Nursing.

How to File a Lawsuit for a HIPAA Violation

If you have been informed that your protected health information has been exposed as a result of a healthcare data breach, or you believe your PHI has been stolen from a specific healthcare organization, you may be able to take legal action against the breached entity to recover damages for any harm or losses suffered as a result of the breach.

The first step to take is to submit a complaint about the violation to the HHS’ Office for Civil Rights. This can be done in writing or via the OCR website. If filing a complaint in writing, you should use the official OCR complaint form and should keep a copy to provide to your legal representative.

You will then need to contact an attorney to take legal action against a HIPAA covered entity. You can find attorneys through your state or local bar association. Try to find an attorney or law firm well versed in HIPAA regulations for the greatest chance of success and contact multiple law firms and speak with several attorneys before making your choice.

There will no doubt be many other individuals who are in the same boat, some of whom may have already taken legal action. Joining an existing class action lawsuit is an option. The more individuals involved, the stronger the case is likely to be.

Many class action lawsuits have been filed on behalf of data breach victims that have yet to experience harm due to the exposure or theft of their data. The plaintiffs claim for damages for future harm as a result of their data being stolen. However, without evidence of actual harm, the chances of success will be greatly reduced.

Can a Patient Sue for a HIPAA Violation? FAQs

What kind of lawyer deals with HIPAA violations?

Most lawyers will be prepared to offer advice about whether you have a claim for a HIPAA violation; and, if the violation occurred with the previous 180 days, may pursue a civil claim on your behalf against a Covered Entity or Business Associate. Often the lawyer´s willingness to take on a claim will depend on the nature of the violation, the nature of harm you suffered, and the state laws that apply in your location.

What happens after a HIPAA complaint is filed?

This depends on who you make the complaint to. If you complain directly to the organization that violated your HIPAA rights, the complaint will be dealt with internally (unless it involves a breach of unsecured PHI, in which case the organization is required by law to notify HHS´ Office for Civil Rights.

If you complain to a state Attorney General, the Office of the Attorney General may investigate the organization directly on your behalf or escalate your complaint to HHS´ Office for Civil. If the complaint is escalated – or you complain directly to the Office for Civil Rights – your compliant will be acknowledged and sent for review.

If the review confirms a HIPAA violation, the organization will be contacted to obtain their “side of the story”. Depending on how the organization responds, the Office for Civil Rights may initiate an investigation or reject your compliant. You will be informed of the decision and any subsequent outcome of an investigation.

Has a patient ever successfully sued for a HIPAA violation?

No. However, the HIPAA Privacy Standards have been used in court cases as a benchmark of the level of privacy an individual can reasonably expect. One of the most frequently-quoted cases in this respect is Byrne versus the Avery Center for Obstetrics and Gynecology. This case was originally denied when the plaintiff pursued compensation for a violation of HIPAA, but the decision was reversed on appeal when the claim was changed to a violation in the duty of confidentiality.

Have there ever been successful class actions for a HIPAA violation?

There have been several settled class actions involving HIPAA Covered Entities who have failed to adequately protect personal information (note: not for violating HIPAA). Furthermore, class actions are frequently settled without an admission of liability (as in Jessie Seranno et al. v. Inmediata Corp.), so it would be incorrect to classify the class actions as “successful”.

How can I find out if my state has a privacy law I can use to claim for a HIPAA violation?

The International Association of Privacy Professionals maintains a web page tracking privacy legislation by state. It is important to note that many of the privacy laws listed on the web page are still to be passed or enacted, and some may not contain provisions that could support a claim for a HIPAA violation. To establish whether you have a claim for a HIPAA violation under your state´s consumer rights legislation, you should speak with an attorney.

I have received a letter stating my health data has been breached. What should I do?

Your response to the breach should be appropriate to nature of the data disclosed. The nature of the data exposed should be explained to you in the letter as well as advice on the measures you should take to protect yourself from fraud and theft. The letter should also contain contact information to find out more about the breach. In several cases, healthcare organizations have provided free credit monitoring services, and it may be in your best interests to find out if these are available to you.

What happens after a HIPAA complaint is filed?

This depends on who the complaint is made to, the nature of the violation, and whether it involves a criminal motive. Complaints made by patients directly to their healthcare provider are usually dealt with internally unless they involve an impermissible disclosure of unsecured PHI – in which case the healthcare provider will escalate it to HHS´ Office for Civil Rights under the Breach Notification Rule.

When a complaint is escalated – or when a complaint is made directly to HHS´ Office for Civil Rights – the complaint is reviewed to see if it is justifiable and, if so, if it can be resolved via technical assistance. If the resolution of the complaint requires more than technical assistance, HHS´ Office for Civil Rights will conduct an investigation and potentially impose a correct action plan or fine.

Complaints can also be made to state attorneys general, who work with HHS´ Office for Civil Rights to resolve the violation. However, if a violation potentially involves a criminal motive, the Office for Civil Rights will refer the complaint to the Department of Justice for investigation. In these cases, the person making the complaint may be required to provide evidence for the investigation to proceed.

The post Can A Patient Sue for A HIPAA Violation? appeared first on HIPAA Journal.