Since the passage of the 2013 HIPAA Omnibus Rule, there has been a substantial increase in HIPAA enforcement actions brought by the Department of Health and Human Services, including an increase in so-called “high-impact cases” where settlements can reach into the millions of dollars. In addition, while HIPAA does not provide for a private cause of action, plaintiffs’ lawyers are increasingly characterizing unauthorized disclosures of electronic protected health information (“ePHI”) as violations of the Fair Credit Reporting Act (“FCRA”), which provides plaintiffs with a private cause of action. Accordingly, it is more important than ever that providers ensure that their data protection measures comply with the standards set forth in the HIPAA Security Rule.
One common issue in HIPAA compliance is the existence of portable media, particularly laptops containing ePHI. Theft of portable electronic device accounts for around half of the health data breaches that HHS typically faces. By comparison, hacking and IT incidents only account for around ten percent of HHS cases. Just this year, two healthcare entities paid a combined $1,975,220 to HHS after two laptops containing ePHI were stolen. In the first instance, an unencrypted laptop containing the ePHI of 148 individuals was stolen from an employee’s car. In the other instance, as a result of a theft of an unencrypted laptop from the provider’s facility, the provider paid $1,725,220 in fines. Multiple risk analyses performed by the provider recognized this problem, but the provider did not take sufficient steps to prevent it from happening.
The second most common issue is unauthorized access or disclosure of protected health information. This type of disclosure is of particular concern due to recent attempts by plaintiffs’ attorneys to seek damages for unauthorized disclosure under the FCRA. Such a case was recently brought against the University of Miami. In that case, the University transferred its patients’ ePHI to a third party vendor to store offsite. Employees of the vendor or other individuals with access to the vendor’s services accessed the University’s ePHI and then sold the information to various scam artists. The ePHI that was stolen included names, birthdates, and social security numbers. While the case is still pending in U.S. District Court for the Southern District of Florida, if plaintiffs are successful, the potential damages could easily reach into the millions or even tens of millions of dollars.
In sum, plaintiffs’ lawyers are now looking at violations of HIPAA as potential causes of action under the FCRA, and HHS is taking patient privacy more seriously than ever. The important take away for healthcare providers is that they too must consider patient privacy to be a grave concern or face ever increasing liability under HIPAA and possibly even the FCRA.