Connecticut Supreme Court: plaintiffs can sue for HIPAA violations

 It has been a commonly held belief that a patient cannot sue under HIPAA for a breach of confidential health information as HIPAA provides no private cause of action.  The patient’s only recourse has been to report the violation to the relevant federal agency responsible for enforcing the law, in this case the Department of Health and Human Services.

Recently, however, the Connecticut Supreme Court overturned a lower court’s decision that HIPAA precludes plaintiffs’ individual liability claims relating to violations of health information confidentiality.  In Byrne v. Avery Center for Obstetrics and Gynecology, in which the clinic released PHI in response to a subpoena, the higher court ruled that “If Connecticut’s common law recognizes claims arising from a health care provider’s alleged breach of its duty of confidentiality in the course of complying with a subpoena, HIPAA and its implementing regulations do not preempt such claims.”

The Connecticut court’s ruling follows similar rulings in Tennessee and Delaware in recent years.  The Connecticut ruling went on to say “We further conclude that, to the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.”

Healthcare providers are, of course, paying close attention to these court rulings.  But these rulings are sending shock waves through other industries as well whose privacy and data security is similarly governed by federal laws that do not provide a private cause of action.  These laws include FERPA and COPPA -- which protect the privacy of students and children, GLBA – the Gramm-Leach-Bliley Act – which governs financial institutions, and the wide-reaching FTC Act – the Federal Trade Commission Act.

See Clinical Psychiatry News article at “Court: Patients can sue over HIPAA breaches”

State inadvertently publishes PHI on web; apologizes

 

A website of the North Carolina Department of Health and Human Services (DHHS) that is intended to provide transparency regarding how government moneys are spent got a little too transparent recently when it displayed sensitive information belonging to more than 1,300 health care patients.  DHHS inadvertently published PHI (protected health information), including patients’ names, addresses and payment amounts on NC Openbook, a state website designed to provide transparency for payments made to government vendors and contractors. Some of the information was especially sensitive, since it involved patients receiving mental health treatments. DHHS has issued an apology and sent notification letters to all of those affected. In addition, the agency notified the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS), as required by the HIPAA Breach Notification rules. As a result, this breach will appear on HHS’s “Wall of Shame” (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html) where the HITECH Act requires all breaches affecting more than 500 individuals to be posted.

Unlike so many breaches caused by the accidental loss of a thumb drive or laptop, this breach demonstrates the need for ongoing training of employees who deal with PHI. Training is not just for new employees of an organization. It has to be an integral, ongoing part of every organization’s policies and procedures to avoid the kind of breach described here.

To see the WSOC TV story on this, click on: http://www.wsoctv.com/news/news/local/state-apologizes-patients-records-posted-internet/nbm86/.

 

Prison sentence for hospital employee who breached patient privacy

Back in January, we wrote about Huping Zhou, a former employee at the UCLA Healthcare System, who pleaded guilty to federal charges of breaches of patient privacy.  Zhou, 48, accessed the UCLA patient records system 323 times during the three-week period, mostly looking for the files of celebrities, after being let go by the hospital. Names of targeted celebrities have not been revealed.

On April 27, 2010, Zhou was sentenced to four months in prison after pleading guilty to four misdemeanor counts of HIPAA violations. Zhou is the first person ever sentenced to prison for violating HIPAA.  According to NBC Los Angeles:

Federal officials say Zhou is a licensed cardiothoracic surgeon in China. In 2003, he went to work for UCLA as a researcher with the UCLA School of Medicine. But his tenure was short and stormy. School officials notified him that he would be dismissed in October that year, and that's when federal officials say the snooping began.

In his plea agreement, Zhou admitted his actions, and that he had no legitimate reason for accessing the records. Federal authorities say there's no evidence that he did it for profit. Apparently, he just did it because he could.

"Former UCLA Healthcare Worker Sentenced to Prison for Snooping, " NBC Los Angeles (April 28, 2010).