A Connecticut Supreme Court ruling paving the way for a case involving accusations of negligence stemming from an alleged violation of HIPAA privacy standards could potentially have an impact on data breach cases, says attorney Bruce Elstein, who represents the plaintiff in the case (see Court Allows HIPAA Negligence Claim).
HIPAA doesn't allow a "private cause of action," meaning individuals cannot file a lawsuit claiming violation of their privacy under the HIPAA regulations. But in the Connecticut case, which the high court determined should proceed, the plaintiff alleges the clinic was negligent because it released confidential health records in violation of HIPAA, which is the "standard of care" for protecting the patient's information.
However, even if negligence is alleged in future HIPAA data breach cases, such as incidents involving lost or stolen unencrypted computing devices, plaintiffs will likely face a steep climb to show evidence of harm caused by the breach, Elstein says in an interview with Information Security Media Group.
Data breach cases alleging HIPAA negligence "will hinge on the issue of legal causation," he says. That means "the breach needs to be the substantial precipitating cause of the harm" to breach victims. "In those data breach cases, I think that's the weak link."
In fact, many health data breach lawsuits filed under statutes other than HIPAA, including a class action suit against Sutter Health, have been dismissed by courts due to plaintiffs failing to show evidence of harm, such as identity theft or fraud, stemming from the breach.
After considering the case for almost two years, "the [Connecticut] Supreme Court found that HIPAA, in fact, does not preempt the negligence case that we brought," Elstein says.
"The standards set forth in HIPAA both for privacy and data breaches can be used to support an appropriate case where a company is shown to regularly not have in place safeguards to protect information," Elstein contends.
"If you're using HIPAA as the standard, and you're showing a pattern of practice to be careless with your information, like never encrypting or poorly encrypting, or not having in place an appropriate program to prevent data breaches, this [Connecticut] case will lend support in the future to those cases."
Medical Records Dispute
The Connecticut case of Emily Byrne vs. Avery Center for Obstetrics and Gynecology involved a patient who sued the healthcare clinic that released her medical records to a third party, under subpoena, without informing Byrne or getting her permission, Elstein says. That ultimately resulted in her ex-boyfriend viewing Byrne's "highly sensitive" health records and using them to harass, embarrass and extort her, Elstein alleges.
The Connecticut Supreme Court ruling in the Byrne case, which still has not yet gone to trial in a lower court, sends a clear message to healthcare providers and business associates that they are at legal risk "if they fail to follow the HIPAA regulation or other privacy regulations," he says.
In the interview, Elstein also discusses:
- Additional details of the Byrne vs. Avery Center case, based on allegations of negligence;
- The next likely legal steps in the case;
- Lessons covered entities and business associates should learn from the Connecticut Supreme Court's ruling.
Elstein is an attorney at the law firm, Goldman Gruder & Woods LLC., where he concentrates on personal injury cases and complex civil and commercial litigation.