George Breen, a Member of the Firm in the Health Care and Life Sciences and Litigation practices, in the Washington, DC, office, was quoted in an article titled “Lawyers Get Creative to Circumvent HIPAA’s Lack of a ‘Private Right.’” The article also appeared in Health Business Daily.
Following is an excerpt:
Patients may not have the right to sue covered entities for violations of HIPAA, but their attorneys are finding other laws, mostly at the state level, that allow patients to seek retribution after data breaches or other issues. And many of them have been successful.
“One thing we often hear from folks is, ‘There’s no private cause of action under HIPAA, so my concerns are somewhat lifted because I know no one can pursue [that] against me,'” which has been consistently held in case law. But “that hasn’t stopped?…individuals from pursuing covered entities for data breaches,” said George Breen during a Sept. 8 webinar sponsored by the firm.
In a recent example, Health Net notified almost 2 million of its members that their information was breached when storage devices maintained by IBM went missing (RPP 5/11, p. 1). The insurer made the announcement in early March, and by March 22, a class-action suit had been filed on behalf of current and former members in federal court in California, Breen said. It is seeking injunctive relief and $5 million in damages for violating California’s Confidentiality of Medical Information Act.
“In this case, what you see is the emphasis being placed on the HIPAA obligation to comply with reporting of the data breach. Now, even though there’s no private cause of action [under HIPAA], in this situation you’re defending a class-action suit of a violation of a similar state statute,” Breen explained.
In some instances, piggyback lawsuits are resulting because of the attention the original cases are getting in the news. For example, Breen said, a man applying to Anthem Blue Cross of California filed a suit against the company in March 2010 because he saw that his application could be accessed on the company’s website along with those of other prospective members. That case was settled in August, but because of the attention it received, the Indiana Attorney General’s office sued WellPoint (Anthem’s parent company), alleging that it had breached Indiana’s data breach protection laws (RPP 8/11, p. 12).
So “new litigation venues [are] opening up given this increased emphasis on HIPAA and privacy and data protection,” according to Breen.
“As you are reacting to a breach, you need to recognize what you are likely doing with the documents you are creating [to notify] folks and conduct an investigation. You are creating Exhibit 1, 2, etc. in a potential lawsuit. And you need to?…act cautiously as you’re reacting and you’re conducting your investigation because the paper you are creating and the message you are sending is going to be used as these investigations and as the litigation proceeds,” he said.