Daniel Solove, a Research Professor of Law at George Washington
Law School and Founder of TeachPrivacy recently wrote a very interesting
article pointing out how recent legal actions using privacy provisions of these
various regulations in Common Law at the local and state level have been upheld
in the appeals court processes in various states.
He cites case law where civil breach of contract lawsuits
have been filed, won and upheld on appeal when an individual or group has sued
an organization based upon their failure to follow the provisions of the
regulations even if the governing body (such as HHS) has failed to find fault.
In his article “Lawsuits for HIPAA Violations and Beyond:
A Journey Down the Rabbit Hole” of November 18th, 2014, he
highlights the recent case of “Byrne v.
Avery Center for Obstetrics and Gynecology”
wherein the complainant received medical care while in a personal
relationship with another person. She
warned the defendant not to release her medical records to that person who later
filed a paternity suit. A court issued a
subpoena to the Avery center to appear with Bryne’s medical records. The Avery
center delivered a copy of the medical forms to the court. Byrne claimed that
the disclosure was not done properly under HIPAA and that she should have been
notified of the subpoena. As a result,
Bryne filed suit for breach of contract, negligently releasing her medical file
without authorization, negligent misrepresentation of the Center’s privacy
policy, and negligent infliction of emotional distress.
The Connecticut Supreme Court held that HIPAA could be
used as a basis in establishing the standard of care for negligence. The court ruled “to the extent it has become
the common practice for Connecticut health care providers to follow the
procedures required under HIPAA in rendering services to their patients, HIPAA
and its implementing regulations may be utilized to inform the standard of care
applicable to such claims arising from allegations of negligence in the
disclosure of patients’ medical records pursuant to a subpoena.”
Before you dismiss this by saying "that's not relevant to my type of business" consider the "creativity" of some in the legal profession in creating lawsuits. This may not directly correlate but consider the possibilities in a litigious society like ours where 16 million civil lawsuits were filed last year.
Mr. Solove points out that “The Common Law provides a
myriad of causes of action for plaintiffs to bring in lawsuits. Some of the
most common ones in privacy cases include the privacy torts, the breach of
confidentiality tort, and negligence.”
To read his article click here
What’s that all mean?
In a nutshell, it means that it’s not just the regulators that you have
to be concerned with when it comes to legal actions and there is a significant risk
exposure to individuals who can use those requirements against you in civil
court.
So what do you do?
First and foremost, be sure you’re aware of ALL of the regulatory
requirements of your organization.
Second, make sure you’re crossing all of your “T’s” and dotting all of
your “I’s” when following those rules.
When in doubt, make sure you keep your legal team
involved whenever there’s even a hint of a question about compliance or a lack
of it.
In our practice we find some organizations who don’t pay
attention to details when it comes to regulatory compliance and even some cases
of “willful ignorance” when administrators plead ignorance on issues of
security and compliance hoping they won’t have to deal with the subjects.
Jeff Hoffman is an IT consultant with ACT
Network Solutions specializing in network security, management and data
protection. He can be reached at
jhoffman@act4networks.com.
No comments:
Post a Comment