By: Helen Oscislawski, Principal at Attorneys at Oscislawski LLC

A class action lawsuit has been filed by five of the approximately 3,655 affected individuals whose information was breached by Charleston Area Medical Center. Since there is no private right of action afforded to patients under HIPAA or HITECH, the causes of actions are based on four principles: breach of confidentiality; negligence; invasion of privacy by intrusion on seclusion; and invasion of privacy by unreasonable publicity of private life.

The lawsuit, Tabata v. Charleston Area Medical Center, stems from a breach involving a database containing patient names, social security numbers, medical information, and demographic information on the internet.  A family member of a patient had found the information while searching the web. The database was created in September of 2010 by a third party for patient case management in a research subsidiary of the hospital, but the breach was not discovered until February 2011.  As required under HITECH’s Breach Notification Rule, the hospital promptly notified all potentially affected patients within 8 days of discovering the breach (note, most states also have breach laws requiring that patients are notified, see www.ncsl.org/default.aspx?tabid=13489 for a recent list of state breach laws).

The patients are asking the hospital to extend additional credit and identify protection and monitoring services, as well as award monetary damages for annoyance, embarrassment and emotional distress, and for the lack of security and violation of their privacy.

It is unclear yet how this case will pan out, but it is one to watch. What is also unclear is whether the Department of Health and Human Services (DHHS) will assess any damages for the breach. Even if the medical center complied in full with its notification obligations under the HITECH Breach Rule, DHSS will likely be evaluating whether the hospital OR its business associate fell short on any of the safeguards required under the HIPAA Security Rule. As most now know – post HITECH – it is possible, depending on how the facts unfold, that the third party BA here could be assessed penalties by DHSS, while the hospital could be found compliant (or both could be found to have fallen short). More importantly – irrespective of what DHHS finds as a matter of penalty assessment HIPAA, the determination, either way, will not be binding in any way on the lawsuit. It will unfold on its own based on the state law claims, which invoke a different standard.

In light of the Tabata case, here are a few points that covered entities and business associates should consider when trying to manage liabilities associated with potential breaches:

• Carefully negotiate HIPAA Business Associate agreements that allocate responsibility for ensuring security. Each party should be responsible for its own acts and omissions, and indemnify the party for their own wrong doing. The HIPAA BAA should state this.
• Make sure that your insurance covers the various liabilities and costs that can arise from breaches, including penalties and lawsuits, like this one. Other costs to cover include costs of public relations, internal investigations, defense costs, etc.
• Any party that is holding, creating or handling PHI on an entities behalf should be able to produce a security gap audit, demonstrating that it has the adequate administrative, technical, and physical safeguards in place. If the third party cannot produce such audit, then this is an indication that they probably do not know what risks lie lurking at their organization that could result in a breach.

So, does your organization have a plan in place if there is a security breach?