Excellent Article from American Health Lawyers Association’s Healthcare Liability & Litigation Health Briefs, on 9/9/09. by Kristen McDonald. (Republished with permission from the author.)

Security Breach

Ms. Kristen Pollock McDonald’s Professional CV, the author of this article, is available here, the website for American Health Lawyers Association is available here. What happens if the offices of a covered entity are broken into and unsecured protected health information (PHI) of more than 500 individuals is stolen? With the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act,¹ the ramifications to the covered entity and potential liability stemming from such a breach² are significant to say the least. Not only is the covered entity required to notify the affected individuals of the breach of unsecured PHI,³ but also the covered entity must notify the media and the Department of Health and Human Services Secretary (HHS Secretary) of potentially damaging information concerning the breach. The HITECH Act’s requirement to report details of a significant breach not only to the affected individuals but also to the media and the Secretary may negatively impact the covered entity’s goodwill in the community and cause a loss of business. Of particular concern to the covered entity’s litigation counsel, though, is the potential liability that the covered entity may face due to the breach.

Under the HITECH Act, a covered entity is required to notify individuals of a breach of unsecured PHI and provide the affected individuals with the following information: (1) a description of what happened; (2) a description of the type of unsecured PHI that was involved in the breach; (3) steps the individuals should take to protect themselves; (4) a description of what the covered entity is doing to investigate the breach, mitigate harm to the individual, and ensure that a similar breach does not occur; and (5) contact information if the individual has questions.⁴ Having to detail the nature of the breach, the type of PHI compromised, and what steps the covered entity has taken to mitigate any harm places the covered entity in a precarious position because disclosing such information may be deemed an admission against the covered entity in future litigation brought by affected individuals.

Indeed, the affected individuals may rely upon the notification and the potential admissions contained therein to bring suit against the covered entity under federal or state law. Thus, even though the covered entity abides by the notification rules under the HITECH Act, the fact that there was a breach of unsecured PHI may cause the covered entity to face various liability risks. For example, the breach by the covered entity may violate state patient privacy laws. Or, the covered entity may face liability under various federal statutes, such as the Public Health Services Act if substance abuse treatment records are compromised.⁵ Other examples include the improper disclosure of a diagnosis of a disease, which may cause the covered entity to face liability for intentional or negligent infliction of emotional distress, among other theories. Or, if Social Security numbers are compromised, the covered entity may face liability for financial losses associated with identity theft.⁶ Because the covered entity may face a variety of liability risks under federal and/or state law, the risk of the notification under the HITECH Act being treated as an admission against the covered entity could have far-reaching, negative consequences in litigation.

Also increasing the risk of potential liability is the fact that the same information contained in the notification to the affected individuals also must be provided to the media.⁷ Thus, not only will the general public have access to the details of the breach but competitors will have access to the more damaging information concerning how the breach occurred and what information was compromised. Although publication in the media will not provide the affected individuals with any additional information, it could increase the risk of litigation: (1) by encouraging affected individuals, who may not have otherwise acted upon their personal notification, to pursue litigation against the covered entity; and (2) by educating plaintiffs’ counsels about the breach and who then may seek out the affected individuals for representation.

Although the HITECH Act’s breach notification rules are not yet effective,⁸ what is quite apparent even now is that the breach notification rules will almost certainly foster litigation, particularly for significant breaches affecting more than 500 individuals.

¹ The HITECH Act was enacted on February 17, 2009, as part of the American Recovery and Reinvestment Act of 2009. See Pub. L. No. 111-5 (2009). Most recently, on August 24, 2009, the Department of Health and Human Services (HHS) published regulations further explaining the breach notification rules under the HITECH Act. See Breach Notification for Unsecured Protected Health Information; Interim Final Rule,
74 Fed. Reg. 42740 (Aug. 24, 2009).
² A “breach” is defined as “the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information.” Id. at 42741.
³ Unsecured PHI is defined as “protected health information that is not secured through the use of a technology or methodology specified by the Secretary in guidance . . .” Id. The two specific methodologies listed in HHS guidance are encryption and destruction. Id.
⁴ See 74 Fed. Reg. at 42750.
⁵ See Public Health Services Act, set forth at 42 U.S.C. §§ 290dd. HHS’ guidance specifically contemplates potential liability depending upon the type of unsecured PHI compromised. See 74 Fed. Reg. at 42745.
⁶ See id.
⁷ See id. at 42752. In addition to requiring the covered entity to notify the media of a breach affecting more than 500 individuals, the HITECH Act also requires the covered entity to notify the Secretary immediately of the breach. Id. at 42753. The Secretary, in turn, lists on its website all covered entities that report breaches affecting more than 500 individuals. Id.
⁸ The Interim Final Rule becomes effective on September 23, 2009. Id. at 42740, 42753.

          

Related posts:

1. Fear Mongering or Legitimate Criticism — “HHS guts health-care breach notification law, groups warn” I am a little unclear as to why privacy advocates...
2. Interim Final Rule on Breach Notification for HIPAA Covered Entities and Business Associates Released by HHS (Effective September 23, 2009) & FTC Releases Final Guidance on PHR Security Breach Notification Requirements Regulations requiring health care providers, health plans, and other entities...
3. American Recovery and Reinvestment Act: Overview of Modifications to the HIPAA Privacy and Security Regulations Stimulus Update - HIPAA This alert provides a brief...
4. HHS Breach Notifications Under the HITECH breach notification requirements, covered entities must notify...
5. Business Associate and Covered Entity HIPAA Compliance — Auditing Questions and NIST 800-53 Security Controls. This article discusses techniques for implementing the updated requirements of...