.jpg)
A recent decision by the United States Court of Appeals, Eleventh Circuit (which includes Florida), underscores the importance of both covered entities and business associates adopting electronic security measures that are consistent with the guidance provided by HIPAA-HITECH.HIPAA provides protection from the unauthorized disclosure or use of an individual patient’s protected health information. The federal government and the state attorney generals have the power to prosecute violations of HIPAA. However, Congress did not provide a similar right (a “private right of action”) to individuals who may be harmed by an unauthorized disclosure of their PHI. The Eleventh Circuit’s decision suggests that injured individuals may be able to obtain relief from HIPAA-HITECH related injuries under state law.
In December 2009, two laptop computers were stolen from AvMed, Inc., a Florida health maintenance organization. These laptops contained the unencrypted Social Security numbers, names, addresses, phone numbers and other PHI of approximately 1.2 million current and former AvMed enrollees. Unfortunately, individuals involved in an identity theft scheme obtained this information. Allegedly, some of the AvMed enrollees had their identities stolen. According to one Plaintiff, information obtained from the stolen AvMed computers was used to open a bank account, activate credit cards that were then used to make unauthorized purchases and change their personal address with the U.S. Postal Service. Another Plaintiff alleged their information was used to open an account with an on-line brokerage firm, which was subsequently overdrawn.
It is important to note that AvMed had disclosed this theft and unauthorized disclosure of PHI pursuant to HIPAA-HITECH, thereby enabling the company to avoid federal sanctions. Nevertheless, without a private right of action under HIPAA, these Plaintiffs sued AvMed on behalf of the class of individuals whose information was stored on the laptops and the subclass of those individuals whose identities had been stolen. They argued 7 state law theories: Specifically, AvMed-
1. was negligent in protecting their sensitive information;
2. breached its contract with the Plaintiffs;
3. breached its implied contract with the Plaintiffs;
4. caused harm for which the Plaintiffs were entitled to recover under a theory of unjust enrichment;
5. breached the fiduciary duty it owed to the Plaintiffs;
6. breached the implied covenant of good faith and fair dealing; and
7. was negligent per se by reason of its violation of Florida’s medical information protection statutes.
The Eleventh Circuit reversed the federal district court’s dismissal of the Plaintiffs’ Complaint and has remanded the case back to the district court to consider the first five of the Plaintiffs’ theories. The majority opinion concluded its decision by stating:
In this digital age, our personal information is increasingly becoming susceptible to attack. People with nefarious interests are taking advantage of the plethora of opportunities to gain access to our private information and use it in ways that cause real harm … Here, Plaintiffs have pled a cognizable injury and have pled sufficient facts to allow for a plausible inference that AvMed’s failures in securing their data resulted in their identities being stolen.
Although this lawsuit involves a large insurer, health care providers, suppliers and their business associates all should pay attention to this development. Whether or not AvMed prevails, the cost of defending itself likely will far exceed the cost of adopting measures that would have minimized the risk of an unauthorized party obtaining and making use of its enrollees’ PHI. For example, encrypting the data or making computer access dependent on fingerprint recognition technology may have prevented the thieves from obtaining the PHI that allowed them to steal these individuals’ identities. In addition to complying with HIPAA-HITECH, every party who has access to PHI should seriously consider adopting measures that will ensure the security of that information and, thus, minimize the likelihood of having to defend itself in the event of an unauthorized disclosure.
