Missouri court doesn’t care about proving actual damages suffered.
Attorneys filing class action lawsuits against healthcare entities that have allegedly violated HIPAA don’t seem to be bothered by the fact that no private right of action exists under HIPAA — and apparently, state-level courts aren’t bothered either. This case should serve as a reminder that you’re not always protected from lawsuits based on HIPAA preempting less stringent state laws.
Kansas City, MO-based Midwest Women’s Healthcare Specialists (MWHS) recently entered into a settlement agreement and release to settle a class action lawsuit alleging a HIPAA data breach. MWHS agreed to pay out a settlement fund totaling $400,000 for class members, which included an incentive award for the named plaintiffs, attorneys’ fees, and credit monitoring for the affected individuals.
Don’t Dispose of Records This Way (Obviously)
Background: Back in May 2014, MWHS came under fire for a data breach. Hospital workers dumped MWHS patients’ paper records into an open-topped dumpster on a rather unfortunately windy day. Many of the paper records blew away in the wind.
The medical records contained patients’ names, addresses, telephone numbers, birth dates, Social Security numbers, insurance information, treatment instructions, doctor’s names, medical procedures, and treatment dates, according to Kansas City’s KSHB. A man driving by stopped and gathered about 70 patient records. When the hospital workers walked away instead of collecting the scattered records, the man brought the papers to KSHB Action News.
Patient records had blown into a field about one-quarter of a mile away from the medical center. Potentially hundreds of medical records blew out of the dumpster, but the settlement states that the breach affected more than 1,500 patients.
“You would think that it would be common sense not to dump stuff in the dumpster that contained protected health information,” said healthcare attorney Mary Beth Gettins of Gettins’ Law LLC in a recent blog posting. “If not for common sense, you would think the fear of facing the chance of paying large sums of money would be a deterrent.”
Remember: “Proper disposal of health information is serious,” Gettins stressed. “Under the HIPAA Rule, entities must have policies and procedures for the proper disposal of records and items containing PHI.”
When Proving Actual Damages Suffered Might Not Matter
On behalf of a putative class, two named plaintiffs filed a Petition for Damages and Class Action against MWHS, alleging breach of fiduciary duty under Missouri common law to keep the plaintiffs’ medical information confidential. The complaint argued that the fiduciary duty of privacy that Missouri law imposes “is explicated under the procedures set forth” in the HIPAA Privacy Rule “which requires a covered entity, healthcare provider, to apply appropriate administrative, technical, and physical safeguards to protect the privacy of patient medical records.”
As a result of the improper disclosure of medical information, the plaintiffs alleged that the class members suffered damages, “although the specific alleged damages were not outlined in the complaint,” noted attorney Linn Foster Freedman in a Dec. 19 blog posting for the law firm Nixon Peabody LLP.
Beware of ‘Creative Lawyering’
“This case illustrates the creative lawyering that can follow a data breach,” Freedman cautioned. “It is a mystery how HIPAA ‘explicates’ a fiduciary duty of privacy ‘imposed by Missouri law.’ No Missouri law is cited in the complaint, so what Missouri law is applicable is unexplained.”
Lesson learned: “There is no private right of action under HIPAA, and HIPAA preempts state law that is not more restrictive,” Freedman pointed out. “The precedent of the argument is concerning, but is a clear sign that litigation around data breaches will continue to grow and get more creative.”