- Aquaculture, Equine & Livestock
- Architects & Engineers
- Aviation & Aerospace
- Consumer Goods & Services
- Education & Public Entities
- Entertainment & Leisure
- Financial Services
Healthcare Data Breaches: Managing and Responding to Regulatory and Litigation Risks
January 10, 2017
A flurry of data breach activity has recently struck the healthcare sector, resulting in increasing litigation and regulatory scrutiny. Healthcare companies, such as hospitals, doctors offices, health systems, and health plans, hold massive amounts of sensitive patient medical information through electronic means such as electronic health records, cloud computing and mobile apps. This has made healthcare organizations vulnerable to data breaches, and a prime target of hackers. Regulatory Risk EnvironmentHealthcare data breaches are unique in that they generally fall within the purview of stringent federal and state healthcare privacy and security laws, including the Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations (collectively, “HIPAA”), and state breach notification requirements. Legal and regulatory violations regularly subject healthcare companies to fines, security audits and settlements agreements with the government that impose increased regulatory burdens, and even criminal penalties. HIPAA Breach Notification Rule
Most healthcare organizations are required to comply with specific laws and regulations that impose strict requirements surrounding the protection of healthcare data, also known under HIPAA as “protected health information” or “PHI,” that is held by, accessed, or processed by “covered entities” (e.g., certain healthcare providers, health plans, and healthcare clearinghouses) and their “business associates” (e.g., subcontractors that perform services for or on behalf of a covered entity). HIPAA contains specific breach notification obligations under its “Breach Notification Rule,” including the obligation to notify affected individuals, and often the government and/or the media, when there is a “breach” of PHI. HIPAA defines “breach” as the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule, which compromises the security or privacy of the PHI. Thus, under HIPAA’s Breach Notification Rule, even if an unauthorized acquisition or access of PHI occurs, a “breach” does not exist, and notification is not required, unless there has been a compromise of the security or privacy of the PHI at issue. However, the HIPAA regulations state that the acquisition, access, use, or disclosure of protected health information . . . is presumed to be a breach unless the covered entity can establish that no compromise occurred. To do so, covered entities must demonstrate that there is a low probability that the protected health information has been compromised based on a risk assessment.When a covered entity determines that a breach has occurred, it must provide notice to the individuals who are subject to the breach “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.” The covered entity must also notify the Secretary of the U.S. Department of Health and Human Services (“HHS”), contemporaneously with the individual breach notice for breaches involving greater than 500 individuals, and annually for breaches involving fewer individuals. For a breach involving more than 500 residents of a state or jurisdiction, the covered entity must notify prominent media outlets in that state or jurisdiction. HIPAA violations can subject healthcare organizations to hefty fines, settlement agreements, and criminal penalties. Penalties for noncompliance are based on the level of culpability of the violation, and can range from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per year for violations of an identical provision, in addition to potential imprisonment based on the level of knowledge or willfulness. Moreover, HIPAA fines assessed against healthcare organizations are rising, with a recent HIPAA violation resulting in a $2.2 million settlement with HHS. This underscores the importance of careful and diligent compliance with HIPAA, including the Breach Notification Rule. State Breach Notification LawsTo date, 47 states have enacted breach notification laws that require data owners possessing “personal information” to provide notice to individuals affected by a data security breach involving such information. The state breach notification laws generally require that a company provide notice to affected individuals where an incident results in the “unauthorized acquisition” of personal information, though some jurisdictions have a “unauthorized access” threshold for imposing a notification obligation. The definition of “personal information” varies by state, and some states, including California, specifically include healthcare information within that definition. Even if healthcare information is not specifically included as personal information, some healthcare records contain sensitive information such as social security numbers or financial account numbers, which would constitute personal information that may trigger state laws.
The definition of “breach,” triggering notification to individuals, also varies from state to state. Many states define a “breach” such that the incident must “compromise the security or confidentiality of confidential information” to be considered a breach requiring notice to individuals. Other states include language that requires notification to individuals only where the incident presents a risk of harm to individuals, including a risk of identity theft or fraud. The respective states’ breach notification laws set forth the timing and content of breach notifications, as well as the requirements for notifying state regulators. Many of the state breach notification laws contain exemptions for encrypted data, and some states exempt HIPAA covered entities from state breach notification obligations. However, healthcare companies that are victims of data breaches may have to comply with not only HIPAA, but also some state breach laws in certain circumstances.Litigation Risks and Direct Costs
Healthcare data breaches have increasingly led affected individuals to bring lawsuits against the organizations that were holding their data at the time of the breach. While HIPAA does not provide a private cause of action for individuals affected by a breach, several states have allowed individuals to bring claims against healthcare providers under negligence theories, alleging that such providers breached their duty of care owed to their patients in permitting a breach of their data to occur. There also is the risk of shareholder derivative lawsuits against boards of directors, alleging that the boards breached their fiduciary duties by failing to adequately protect patient data. Because healthcare data breaches can affect thousands, millions or tens of millions of individuals, many data breach lawsuits are brought as class actions. For example, as discussed in the next section, numerous lawsuits have been brought against Anthem with respect to the data breach it experienced in 2015, many of which have been consolidated into class action lawsuits.Healthcare data breaches also can impose direct costs on organizations, such as the costs of providing notification, call center services and identity protection services, to affected individuals. In addition, healthcare data breaches can result in public relations nightmares, damaging what is perhaps a healthcare organization’s most important intangible asset: its reputation.Recent breachesWhile hacking was the leading cause of healthcare data breaches in 2015, according to HHS, some of the largest HIPAA data breaches reported in the first half of 2016 were caused by theft, loss, improper disposal and unauthorized email access or disclosure.
As published in the Fall 2016 issue of Litigation Management Magazine. Reproduced with permission.
About the authors. . .
Christine Flammer is Claims Counsel for XL Catlin’s Cyber & Technology business. David Navetta is a Partner with Norton Rose Fulbright. Kimberly Gold is a Senior Associate with Norton Rose Fulbright.
- About The Author
- Christine Flammer
- Esq., XL Catlin, and David Navetta,Esq.,and Kimberly Gold