The answer increasingly appears to be yes. Government action and fines are clear consequences of failure to comply with HIPAA and federal & state privacy laws, but private party action has also been successfully litigated using HIPAA, despite the fact that there are no direct allowances for private cause of action in the law.
In 2013, an Indiana jury awarded $1.44 million to a customer as a result of a violation of the Health Insurance Portability and Accountability Act (HIPAA) by a Walgreens pharmacist. The pharmacist’s husband had an affair with a woman, who was a customer of Walgreens, that resulted in a child. The woman (now ex-girlfriend) was seeking child support. The pharmacist suspected her husband’s ex-girlfriend of giving her husband a sexually transmitted disease and accessed her confidential medical history. The husband then sent a text message to the ex-girlfriend referencing her confidential medical information in an attempt to blackmail her to stop seeking child support. The suit by the ex-girlfriend accused Walgreens of negligence in its supervision of the pharmacist.
I did not sue Walgreens for violating HIPAA, I sued Walgreens for negligence, but I used HIPAA to prove that Walgreens was negligent. Similarly, I did not sue the pharmacist for violating HIPAA, I sued her for professional malpractice, but I used HIPAA to prove that what she did fell below the commonly-accepted standard for privacy protection. – Neal F. Eggerson, Attorney
Privacy breaches are increasing and the laws around them have evolved substantially. There are detailed requirements mandated by the law which are being used not only to levy fines, but to support private party lawsuits. You and your clients may or may not be subject to HIPAA, but it would be in the best interest of every business to act as if you are. You may eventually be held accountable to this standard. You are almost certainly subject to other privacy laws and lawsuits where HIPAA may be the yardstick against which your actions or inactions are measured. This is all separate and in addition to your ethical responsibilities.
Complying with the law here is much harder than most people assume. Please consider this recent quote from the FBI: “The biggest vulnerability was the perception that their current perimeter defenses and compliance strategies were working when clearly the data states otherwise,” FBI Memo, April 17, 2014.
Top 10 Security & Compliance Guidelines For Your Firm:
- Assess risks in maintaining privacy and security, then update and/or establish policies and safeguards to ensure that everybody who touches your data (including any subcontractors and their subcontractors) will keep information confidential and your environment secure.
- Get assurances from employees and contractors in writing that they will follow adequate procedures. Please note, that simply getting a business associate agreement (as required by HIPAA) is not sufficient – be sure vendors actually understand and meet the requirements.
- Designate a single individual of appropriate authority who is ultimately responsible for your firm’s security & privacy.
- Ensure that your policies and procedures support the concept of minimum necessary use and disclosure.
- Communicate with your clients and get consent to whatever you might be doing with their information.
- Evaluate any instance where firm data is not currently encrypted. Encryption will help protect data and often provides safe harbor for data breach notification.
- Engage someone to review your policies and procedures.
- Assess risks and opportunities with your clients regarding their compliance with privacy laws.
- Consider consequences for third-party injury as a result of failure to comply.