Hostname: page-component-cd9895bd7-q99xh Total loading time: 0 Render date: 2024-12-27T08:10:58.391Z Has data issue: false hasContentIssue false

Recent Case Developments

Published online by Cambridge University Press:  06 January 2021

Abstract

Image of the first page of this content. For PDF version, please use the ‘Save PDF’ preceeding this image.'
Type
Notes and Recent Case Developments
Copyright
Copyright © American Society of Law, Medicine and Ethics and Boston University 2016

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

1 Walker v. Bos. Med. Ctr. Corp., No. SUCV20151733BLS1, 2015 WL 9946193 (Mass. Supp. Nov. 20, 2015).

2 Id. at *1 (citing the language in the letter sent to patients).

3 Id.

4 Id.

5 See 45 C.F.R. §§ 164.500-534 (2015); Summary of HIPAA Privacy Rule, Dep't of Health & Human Servs., http://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html [hereinafter HIPAA Privacy Rule] [http://perma.cc/DMP4-EXDN].

6 Massachusetts' regulations of personal information are defined more broadly than HIPAA, whose focus is specific to health information. See Mass. Gen. Laws ch. 93H, § 2 (2007); 201 Mass. Code Regs. 17.02 (2009) (defining “personal information” as “a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account”).

7 See Mass. Gen. Laws ch. 214, § 1B (2000).

8 See 45 C.F.R. §§ 164.400-414 (2015); Breach Notification Rule, Dep't of Health & Human Servs., http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html [hereinafter HIPAA Breach Notification Rule] [http://perma.cc/2PRQ-JHAP].

9 The Trial Court in Walker uses the terminology “patient information” to indicate protected patient health information. It is used throughout this paper to mean any personal or clinical information that can identify a particular patient, which is defined under HIPAA as “protected health information” (PHI). For Massachusetts law, see supra text accompanying note 6.

10 See Walker v. Bos. Med. Ctr. Corp., No. SUCV20151733BLS1, 2015 WL 9946193, at *1 (Mass. Supp. Nov. 20, 2015) (“The letters noted that the medical records ‘could potentially be accessed by non-authorized individuals' although BMC had ‘no reason to believe that this led to the misuse of any patient information.’ BMC could not say ‘how long the information was publicly accessible through the site.’”).

11 Id. at *1.

12 Id.; Mass. R. Civ. P. 12(b)(1), 12(b)(6).

13 See Walker, 2015 WL 9946193, at *1.

14 Id. at *1 (quoting Pugsley v. Police Department of Boston, 472 Mass. 367, 371 (2015)).

15 Id. at *2. The Walker Trial Court explained that Massachusetts law requires complaints to state “factual ‘allegations plausibly suggesting (not merely consistent with)’ an entitlement to relief” Id. (quoting Iannacchino v. Ford Motor Co., 451 Mass. 623, 636 (2008), quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 557 (2007)). According to this standard, if a plaintiff states a sufficient claim for relief, then courts must accept allegations as true and draw “every reasonable inference in favor of the plaintiff.” Id. (quoting Curtis v. Herb Chambers I–95, Inc., 458 Mass. 674, 676 (2011)).

16 Id.

17 The Trial Court in Walker chose not to rely on In re Horizon Healthcare Services Inc. Data Breach Litigation, which Defendants offered in support of their case; instead relying on Tabata v. Charleston Area Medical Center for support in determining questions of standing. See id. at *2 n.4; In re Horizon Healthcare Servs. Inc. Data Breach Litigation, No. 13-7418 (CCC), 2015 WL 1472483 (D.N.J. March 31, 2015); Tabata v. Charleston Area Med. Ctr., 759 S.E.2d 459 (W. Va. 2014).

18 See HIPAA Breach Notification Rule, supra note 8 (defining breach notification and the individual reporting requirements under HIPAA).

19 See 45 C.F.R. § 160 (2007); HIPAA Enforcement, Dep't of Health & Human Servs., http://www.hhs.gov/hipaa/for-professionals/special-topics/enforcement-rule/index.html [hereinafter HIPAA Enforcement Rule] [http://perma.cc/Y7LD-BUKC] (implying that enforcement of HIPAA is through administrative channels only).

20 To some extent, these implications may be mitigated by Massachusetts' charitable immunity law, which may limit recovery, and therefore, the incentive to bring such class actions. See Mass. Gen. Laws ch. 231, § 85K. However, it may be possible that the Massachusetts risk of harm analysis is more lenient than the federal standard simply because of the higher bar for recovery against the majority nonprofit health care entities in Massachusetts.

21 See In re Horizon, 2015 WL 1472483, at *6.

22 See id. (noting that certain plaintiffs “cannot rely on their increased likelihood of future harm as a basis for standing”).

23 Id. at *1.

24 Id. at *5-6.

25 Id. at *6.

26 759 S.E.2d 459 (W. Va. 2014).

27 See id. at 464 (“Application of our law to the facts of this case indicates that the petitioners have standing to bring a cause of action for invasion of privacy.”).

28 Id. at 462 (quoting the letter from Charleston Area Medical Center to Plaintiff patients).

29 Id. at 464 (holding that patients “have a legal interest in having their medical information kept confidential” and a legally protected interest in privacy, and therefore, a breach a privacy or physician's breach of duty of confidentiality are causes of action).

30 Id.

31 By definition, only “covered entities” (or their business associates) are subject to HIPAA regulations. See Covered Entities and Business Associates, Dep't of Health & Human Servs., http://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html [http://perma.cc/AM6D-2STH].

32 Paul E. Knag, Class-Action Waivers and Arbitration Clauses in HIPAA/Data Security Disputes, AHLA Connections 26 (December 2015), http://www.murthalaw.com/files/pek_ahla_12.2015_classaction_waivers_and_arbitration_clauses_in_hipaa_data.pdf [http://perma.cc/6WWF-8ZYE].

33 See HIPAA Enforcement, supra note 19.

34 See HIPAA Breach Notification Rule, supra note 8.

An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors: 1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; 2. The unauthorized person who used the protected health information or to whom the disclosure was made; 3. Whether the protected health information was actually acquired or viewed; and 4. The extent to which the risk to the protected health information has been mitigated. Id.

35 In Walker, the Plaintiffs relied on Massachusetts state law governing invasion of privacy to justify one count of their tort claim, however, the case must progress further for a determination as to the case merits. See Walker v. Bos. Med. Ctr. Corp., No. SUCV20151733BLS1, 2015 WL 9946193, at *1 (Mass. Supp. Nov. 20, 2015). Likewise, in Tabata, the court found that the Plaintiffs were entitled to a right to privacy and confidentiality, providing them with causes of action for the data breach. See Tabata v. Charleston Area Med. Ctr., 759 S.E.2d 459 (W. Va. 2014).

36 See generally infra note 40 (describing two cases that provide a good overview of the use of HIPAA to demonstrate standard of care in state tort claims).

37 See Baum v. Keystone Mercy Health Plan, 826 F. Supp. 2d. 718, 718 (E.D. Pa. 2011) (holding that “even if action implicated Health Insurance Portability and Accountability Act (HIPAA), it did not assert removable federal question”); Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 102 A.3d 32, 33 (Conn. 2014) (holding that “to the extent Connecticut's common law recognizes claims arising from … provider's alleged breach of its duty of confidentiality …, HIPAA and its implementing regulations do not preempt such claims, and … may be utilized to inform the standard of care applicable to such claims”).

38 Knag, supra note 32 (“plaintiffs successfully rely[] on HIPAA violations as a basis for state-law claims.”).

39 See Byrne, 102 A.3d at 44, 49 (finding that such claims are not “contrary” to the HIPAA rules, and therefore do not preempt state law claims of privacy because “[t]he availability of such private rights of action in state courts … do not preclude, conflict with, or complicate health care providers' compliance with HIPAA. On the contrary, negligence claims in state courts support at least one of HIPAA's goals by establishing another disincentive to wrongfully disclose a patient's health care record”) (internal quotations omitted).

40 See id. at 46-47 (“[A] number of cases from the federal and sister state courts holding that HIPAA, and particularly its implementation through the Privacy Rule regulations, does not preempt causes of action, when they exist as a matter of state common or statutory law, arising from health care providers' breaches of patient confidentiality in a variety of contexts; indeed, several have determined that HIPAA may inform the relevant standard of care in such actions.”).

41 See Walker v. Bos. Med. Ctr. Corp., No. SUCV20151733BLS1, 2015 WL 9946193, at *2 (Mass. Supp. Nov. 20, 2015) (drawing inferences directly from BMC's notification to patients).

42 See supra text accompanying note 34.

43 See HIPAA Breach Notification Rule, supra note 8 (laying out the reporting guidelines to individuals and the Secretary).

44 Knag, supra note 32, at 26-27 (“Baum [v. Keystone] should make [health care providers] and payers eager to implement arbitration clauses with class-action waivers into their agreements with patients and customers … implicat[ing] the Federal Arbitration Act (FAA) … [and] result[ing] in compelled arbitration. Instead, lacking federal jurisdiction and a class-action waiver, [Baum v.] Keystone was left to defend a 280,000-person class action in state court.”).

45 Id. at 29.