Connecticut Supreme Court: plaintiffs can sue for HIPAA violations

 It has been a commonly held belief that a patient cannot sue under HIPAA for a breach of confidential health information as HIPAA provides no private cause of action.  The patient’s only recourse has been to report the violation to the relevant federal agency responsible for enforcing the law, in this case the Department of Health and Human Services.

Recently, however, the Connecticut Supreme Court overturned a lower court’s decision that HIPAA precludes plaintiffs’ individual liability claims relating to violations of health information confidentiality.  In Byrne v. Avery Center for Obstetrics and Gynecology, in which the clinic released PHI in response to a subpoena, the higher court ruled that “If Connecticut’s common law recognizes claims arising from a health care provider’s alleged breach of its duty of confidentiality in the course of complying with a subpoena, HIPAA and its implementing regulations do not preempt such claims.”

The Connecticut court’s ruling follows similar rulings in Tennessee and Delaware in recent years.  The Connecticut ruling went on to say “We further conclude that, to the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.”

Healthcare providers are, of course, paying close attention to these court rulings.  But these rulings are sending shock waves through other industries as well whose privacy and data security is similarly governed by federal laws that do not provide a private cause of action.  These laws include FERPA and COPPA -- which protect the privacy of students and children, GLBA – the Gramm-Leach-Bliley Act – which governs financial institutions, and the wide-reaching FTC Act – the Federal Trade Commission Act.

See Clinical Psychiatry News article at “Court: Patients can sue over HIPAA breaches”

A plus in the operating room, EHRs can cause trouble for providers in the courtroom

Electronic health records have been touted as having – and have proven to have – many benefits for healthcare organizations in terms of cost savings and efficacy of medical treatment.  They are not, however, unalloyedly beneficial in the courtroom.  As might be expected, the most important evidence in malpractice cases is medical records and now that they are digitized these records tend to be in EHR form.  According to defense attorneys, electronic medical records come with their own set of problems for the provider facing a malpractice lawsuit.  One striking issue is the “autofill” feature in EHR templates which automatically populates fields with data that may not be pertinent to the situation at hand.  Other issues include technical glitches, as well as users not using the software correctly.

See Business Insurance article at "Malpractice suits often tap electronic medical records"

AHIMA issues health info management recommendations

The American Health Information Management Association (AHIMA) recently released a set of guidelines regarding data governance of what it calls “information assets.”  AHIMA asserts that the healthcare industry must manage the huge amounts of data it works with in an intentional, standardized manner across the industry.  According to AHIMA, “information governance” is “…an organization-wide framework for managing information throughout its lifecycle and supporting the organization’s strategy, operations, regulatory, legal, risk, and environmental requirements.”  Prioritizing accuracy, timeliness and accessibility, AHIMA’s approach rests on eight principles:  accountability, transparency, integrity, protection, compliance, availability, retention, and disposition.

See Modern Healthcare article at “AHIMA releases principles for new area: information governance,” and the 21-page AHIMA document at “Information Governance Principles for Healthcare”

California courts: Sutter Health not liable in $4.25 billion data breach case

In a development sure to draw attention, the California Supreme Court last week upheld a lower court’s dismissal of the $4.25 billion case against Sutter Health arising from an October 2011 data breach.  A password-protected computer full of unencrypted data, stolen from one of Sutter Health’s Sacramento locations, contained records for 4.24 million patients.  In July 2014, thirteen coordinated lawsuits in the case were dismissed by an appeals court.  According to the appeals court, the case was dismissed because there is no evidence the stolen data has been used. 

See Sacramento Business Journal (California) article at “California Supreme Court declines to review Sutter data-breach case”

Human-computer interactions: what happened during September's Texas Ebola misdiagnosis?

A new report on what went wrong in the processing of the late Thomas Eric Duncan upon his first visit to the emergency room proposes that a combination of human and computer errors was responsible.  A team of medical informaticists reviewed events leading up to the misdiagnosis, reporting their findings in "Ebola U.S. Patient Zero: Lessons on Misdiagnosis and Effective Use of Electronic Health Records."   The report, published October 23 in the online journal Diagnosis, suggests that certain EHR usability issues can contribute to medical errors.  One concern of the researchers is that EHRs are designed to try to “routinize” processing of patient information in a way that may blinder providers when faced with an out-of-the-ordinary situation.

See Modern Healthcare article at “Botched U.S. Ebola diagnosis points to computer, human errors” and Information Week article at “Ebola Misdiagnosis: Experts Examine EHR Lessons”

Medical info now 10 times more valuable than financial data on the black market

Credit card numbers have dropped precipitously in value in recent years as PHI replaces it on the underground market.  Why?  Cyber criminals use the PHI to engage in medical fraud which, because of its complexity, may continue undetected for years.  Theft and misuse of credit cards, on the other hand, is usually detected almost immediately and the cards canceled.  In addition, in part because the financial industry has had many more years to develop sturdy safeguards against data theft, healthcare industry data is relatively easier for thieves to access.

See Reuters article at “Your medical record is worth more to hackers than your credit card”

FDA issues final guidance to medical device makers on cybersecurity

In its final guidance issued last week, the Food and Drug Administration is requesting that device makers assess what information hackers might target in connection with their devices, how hackers might attempt to access the information, and how device makers intend to address these issues both before and after putting their products on the market.  In addition, FDA is requesting that device makers report in to the agency on a continuing basis regarding cybersecurity incidents that arise after product approval.

Medical devices currently on the market are considered to be relatively easy to hack, according to cybersecurity experts.  Cybersecurity and device usability, unfortunately, tend to exist in inverse relation so the challenge for device makers is to find a workable balance between the two.

See Modern Healthcare article at “FDA seeks cybersecurity assessments from medical-device makers,” the FDA press release, and the final guidance entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” online and in pdf form.

New hope for resolving thorny sensitive PHI issues in health data exchanges

Uncertainty and disagreement regarding how to handle behavioral and other sensitive healthcare data such as HIV and reproductive health records has been a stumbling block for healthcare in various ways.  Potential patients don’t seek help because of fear their records will be too widely released and the patients permanently harmed as a result.  According to the Substance Abuse and Mental Health Services Administration (SAMHSA), one quarter of adults needing mental healthcare go without due to this fear, with that statistic rising to over 35% among young adults. 

Meanwhile, healthcare providers want to provide more effective treatment by coordinating physical and behavioral care.  To do this, sensitive PHI must be transferred from behavioral to physical care providers.  However, behavioral healthcare and physical healthcare providers operate under different and sometimes mutually contradictory rules about how patient records may be handled and shared.  Many providers have technology to handle only “less sensitive” healthcare records.  Because the whole issue is in such a state of flux, little software exists so far to properly handle sensitive PHI.  Even if the technology to handle sensitive data was easily available, purchasing additional software to handle such data is out of financial reach for many providers.

In the midst of all this, providers, vendors and federal agencies move forward in developing solutions.  A new technological approach is to place patient-directed privacy controls on EHRs.  The federal initiative promoting this type of technology is called DS4P -- data segmentation for privacy.  A pilot software system being tested by University of Michigan Health and an Ann Arbor behavioral health provider compares behavioral health record requests made by UMH against the list of patient consent forms which are stored in the system.  If a patient consent form in the system matches the request, the information is released to UMH through a secure portal.

See Modern Healthcare article at “Tech fixes ease sharing of sensitive patient data”

Techies invade HIT market: is their unfamiliarity with healthcare industry obstacle or advantage?

Until recently, healthcare software has been developed by IT professionals grounded in the healthcare industry.  The latest arrivals to HIT development come from a range of non-healthcare industries.  The vendor of one new product currently on the HIT market last developed software related to automobile sales, while another previously developed public relations software that helps customers manage their online image.  Some observers worry that the newcomers’ disconnect from the healthcare arena threatens the success of products they may develop, but others say this freedom from preconceptions may lead to bold and successful innovation.

See Modern Healthcare article at "IT entrepreneurs rush into healthcare, but will human touch be missing?"

Billions at risk as providers face Stage 2 hurdle

An impressive number of healthcare providers met Stage 1 requirements and qualified for EHR payments in 2011 and 2012 – some 170,000.  Of these providers, who are therefore eligible to continue in the EHR incentive program, only about 4% appear to be on track to meet Stage 2 requirements.  With the December 2014 deadline looming, providers are in danger of losing billions according to data recently released by the Centers for Medicare & Medicaid Services (CMS).

See Modern Healthcare article at “Number of providers facing Stage 2 EHR hurdle puts billions at stake”