George Breen, a Member of the Firm in the Health Care and Life Sciences and Litigation practices, in the Washington, DC, office, was quoted in an article titled "Lawyers Get Creative to Circumvent HIPAA's Lack of a 'Private Right.'" The article also appeared in Health Business Daily.

Following is an excerpt:

Patients may not have the right to sue covered entities for violations of HIPAA, but their attorneys are finding other laws, mostly at the state level, that allow patients to seek retribution after data breaches or other issues. And many of them have been successful.

"One thing we often hear from folks is, 'There's no private cause of action under HIPAA, so my concerns are somewhat lifted because I know no one can pursue [that] against me,'" which has been consistently held in case law. But "that hasn't stopped?...individuals from pursuing covered entities for data breaches," said George Breen during a Sept. 8 webinar sponsored by the firm.

In a recent example, Health Net notified almost 2 million of its members that their information was breached when storage devices maintained by IBM went missing (RPP 5/11, p. 1). The insurer made the announcement in early March, and by March 22, a class-action suit had been filed on behalf of current and former members in federal court in California, Breen said. It is seeking injunctive relief and $5 million in damages for violating California's Confidentiality of Medical Information Act.

"In this case, what you see is the emphasis being placed on the HIPAA obligation to comply with reporting of the data breach. Now, even though there's no private cause of action [under HIPAA], in this situation you're defending a class-action suit of a violation of a similar state statute," Breen explained.

In some instances, piggyback lawsuits are resulting because of the attention the original cases are getting in the news. For example, Breen said, a man applying to Anthem Blue Cross of California filed a suit against the company in March 2010 because he saw that his application could be accessed on the company's website along with those of other prospective members. That case was settled in August, but because of the attention it received, the Indiana Attorney General's office sued WellPoint (Anthem's parent company), alleging that it had breached Indiana's data breach protection laws (RPP 8/11, p. 12).

So "new litigation venues [are] opening up given this increased emphasis on HIPAA and privacy and data protection," according to Breen.

"As you are reacting to a breach, you need to recognize what you are likely doing with the documents you are creating [to notify] folks and conduct an investigation. You are creating Exhibit 1, 2, etc. in a potential lawsuit. And you need to?...act cautiously as you're reacting and you're conducting your investigation because the paper you are creating and the message you are sending is going to be used as these investigations and as the litigation proceeds," he said.

Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.