Look out: Private lawsuits can be just as costly as federal HIPAA fines.
You might think you’re in the clear as long as you have a good grip on HIPAA requirements in your organization, but that may not always be the reality. A recent court case shows you could be held responsible for a business associate’s HIPAA violation.
Background: Led by former patient Shana Springer, Stanford Hospital & Clinics and two of its vendors faced a class action lawsuit for alleged privacy breaches of patients’ protected health information (PHI), violating California’s state privacy laws. The plaintiffs sought $20 million in damages, but the defendants recently settled the case for $4.1 million.
Multi-Specialty Collection Services (MSCS) was Stanford’s business associate (BA) and was named in the lawsuit, and then another BA contracting with MSCS, Corcino & Associates, was added to the complaint. The lawsuit alleged that Stanford and its BAs were responsible for disclosing the PHI of 20,000 emergency room patients. The BA had posted an Excel file online containing the PHI.
Because the BAs were at fault for the unpermitted disclosure, they will pay the majority of the settlement — about $3.3 million, reported attorney Elana Zana in a blog post for the Seattle-based law firm Ogden Murphy Wallace. But Stanford is still stuck paying out a whopping $500,000 toward a “vendor education fund” under the settlement agreement, as well as $250,000 in settlement administrative costs.
Why ‘No Fault’ Doesn’t Protect You
Keep in mind that this settlement arose strictly from violations of state privacy laws. The state and federal government investigated the incident and determined that Stanford was not at fault for the disclosure, stated Martie Ross, attorney and principal for Pershing Yoakley & Associates in a PYA Healthcare Blog post. Stanford received no penalties as part of the case.
Beware: “The risks of private lawsuits are real,” Ross warned. Just because HIPAA does not include a private cause of action doesn’t mean that patients cannot sue you under state law.
“Many states, like California, have privacy laws that allow a private individual to sue a party that violates that law,” Ross noted. “Additionally, an individual can bring a common law claim for negligence, alleging a HIPAA breach violates the standard of care.
Hidden trap: And now that HIPAA requires you to notify patients of breaches, there are more opportunities for affected patients to pursue private claims, Ross said. Attorneys may not care much about a single patient’s complaint, but breaches usually involve a larger number of patients. And this can lead to a class action lawsuit with a potentially large payout, which is enticing to plaintiffs’ attorneys.
“Looking at the facts as reported, it is hard to find anything Stanford did wrong,” Ross lamented. Stanford had an appropriate BA agreement (BAA) in place, “it had no notice of any prior wrongdoing by MSCS, it encrypted the data sent to MSCS, and it met its obligations with respect to mitigation and breach notification once the posting was discovered.”
Stanford was even unaware of Corcino, which contracted with MSCS, and ultimately was directly responsible for the breach, Ross noted. “So why is Stanford paying out $750,000?”
“Not only is Stanford its brother’s keeper, it is also its brother’s brother’s keeper,” Ross said. Thanks to the HIPAA Omnibus Final Rule, there is now a greater emphasis on BAs’ and subcontractors’ responsibility to protect patient privacy.
Bottom line: “The major lesson to glean from this case is that covered entities should better investigate their vendors before transmitting PHI,” Zana stressed. “Meaning not just simply executing a Business Associate Agreement with an indemnification and insurance provision (though advisable), but also reviewing/evaluating their current security policies, staff training, use of subcontractors, and encryption standards.”