“There is no private right of action under HIPAA.” This oft-repeated rule is a source of comfort for many health care entities.
Of course, patients can file complaints with the Office of Civil Rights or State Attorneys General, but a “HIPAA cause of action” does not exist.
So what is the basis for the many different class action lawsuits against health care entities that have been hit with data breaches? The recent class action lawsuit filed against Premera sheds some light on strategies of class action attorneys.
The Complaint alleges seven different causes of action. This article will focus on four of the claims.
The Four Causes of Action in the Premera Complaint
-
Negligence:
The first cause of action is negligence. To establish a claim for negligence, the plaintiff must show that an entity: (1) had a duty to the plaintiff, (2) the entity breached the duty, (3) the plaintiff suffered damages, and (4) the entity’s acts caused the damage.The Complaint states that Premera had a “duty” to keep the plaintiffs personal information secure as the provider of health coverage to the plaintiffs. Premera breached this duty by failing to secure its IT systems and this failure directly caused the plaintiff’s damages related to improper disclosure of health information.
-
Bailment: The second cause of action is Bailment. A “bailment” arises when personal property is delivered to another for some particular purpose with an express or implied contract to redeliver when the purpose has been fulfilled.
In other words, “I’m giving you my stuff with the expectation that I’ll get it back in the same condition.”
The Complaint alleges that the plaintiffs provided Premera with their personal information with the understanding that Premera would adequately safeguard it. Premera breached its bailment by failing to protect the information which resulted in the data breach.
-
Breach of Contract:
The third cause of action is breach of contract. My first question concerning this claim is: “Did Premera actually state in its beneficiary agreements that it would keep all data secure?”Based on the allegations in the Complaint, the answer appears to be no.
However, the Complaint alleges that Premera’s Notice of Privacy Practices (NPP) states that Premera must take measures to protect each beneficiary’s health information. Whether or not an NPP is actually a contract between a covered entity and individuals, this allegation should motivate health care entities to be careful in drafting their NPPs.
-
Washington State Data Breach Claim: In emphasizing the “no private right of action under HIPAA” mantra. Many entities fail to take understand state laws concerning data breaches.
In the Complaint, the plaintiffs allege that Premera violated the Washington State data breach notification requirements of RCW 19.255.010. Unlike HIPAA, affected individuals may bring claims for violations of this statute.
Among the requirements of RCW 19.255.010 is to disclose data breaches in the most “expedient” time possible and without “unreasonable delay.” The Complaint alleges that Premera took far too long to notify beneficiaries of the data breach.
Conclusion
In light of these claims (and others) in the Premera breach complaint, the warning for health care entities is clear: You can be sued by your customers for data breaches.
Although HIPAA may not provide for a private right of action, there are many other ways for plaintiffs to recover compensation for the failure to keep health information secure.
For more information about data breaches, please contact Casey Moriarty.