Putative Class Action Underscores Need for HIPAA Covered Entities to Diligence Business Associates

Seth Goldberg
Seth Goldberg

Last week, in a putative class action, the Eastern District of Wisconsin in Dusterhoft v. OneTouchPoint Corp., 2024 U.S. Dist. LEXIS 170993 (ED WI 2024), issued a decision denying a motion to dismiss, in part, that underscores the importance for healthcare entities of strong privacy compliance, including due diligence and auditing with respect to HIPAA-protected information provided to “business associates.”

OneTouchPoint provides brand management, marketing, printing, and supply chain logistics to healthcare providers. In connection with those services, “OneTouchPoint collects and maintains names, addresses, Social Security numbers (SSNs), member IDs, dates of birth, health insurance information, and other medical information provided during health assessments.” OneTouchPoint discovered that its servers had been improperly accessed causing a breach of 2.6 million individuals’ data, including patients of nearly 40 health insurers and healthcare service providers.

After receiving letters from OneTouchPoint advising them of the breach, nine named plaintiffs from Arizona, Georgia, Maine, Minnesota, South Carolina, and Wisconsin claimed that they provided information to OneTouchPoint clients, who in turn provided to OneTouchPoint their HIPAA-protected information that was disseminated in the breach. Pertinent to this article, the only injuries alleged by five of the named plaintiffs is spending time and money combatting the effects of the breach, such as calling banks, credit card companies, etc., and dimunition in the value of their information.

The Court held the dimunition in value claim was insufficient to establish standing, but he time the named plaintiffs spent mitigating the effects of the breach was an injury sufficient to establish standing. The Court further held that the complaint sufficiently alleged a claim for negligence because, as alleged damages, the mitigation efforts were not too speculative, and could be shown to be causally related to the breach.

Importantly, the Court rejected OneTouchPoint’s assertion that HIPAA and Section 5 of the FTC Act do not create a private right of action to assert a claim for negligence per se, i.e., a violation of those Acts’ requirements with respect to protected information, explaining that statutory intent should dictate whether a claim for negligence per se can be asserted, and the parties did not brief that issue sufficiently. This argument, held the Court, could be raised again on summary judgment.

That the named plaintiffs will be able to proceed on their negligence and negligence per se claims, at least until a dispositive motion is filed, highlights the importance of a “Covered Entity,” like a hospital or medical practice, sufficiently understanding how a Business Associate will secure protected information. OneTouchPoint may now have to incur the significant expense of class discovery, which could lead to a settlement-leveraging class certification motion. Given that a HIPAA “Covered Entity” can be liable under HIPAA for failing to properly diligence a Business Associate, one can envision negligence and negligence per se claims being brought against a Covered Entity for a Business Associate’s data breach. Consequently, a Covered Entity should be vigilant when it diligences a Business Associate, and insist on indemnification for any claims that result from the Business Associate’s data breach.

Duane Morris attorneys are experienced in advising clients with respect to HIPAA’s privacy and security requirements.

FTC Wields Health Breach Notification Rule for First Time in Quest to Protect Consumer Health Information

By Samantha Dalmass and Melissa Sobel Snyder

The Federal Trade Commission (“FTC”) is seeking enforcement under the Health Breach Notification Rule for the first time since the rule was adopted in 2009. The Health Breach Notification Rule (16 C.F.R. Part 318) requires vendors of personal health records, PHR-related entities, and third party service providers that are not otherwise subject to the Health Insurance Portability and Accountability Act (“HIPAA”) to notify their customers and individuals whose personal health records are disclosed in the event of a breach or unauthorized disclosure. In its complaint filed against GoodRx on January 1, 2023, the FTC targets the digital health platform, alleging that it repeatedly violated the promises it has made to its customers regarding its protection of their personal health information, including that such information would be shared only with limited third parties and for limited purposes; that GoodRx would restrict such third parties’ use of customer information; and that it would never share personal health information with advertisers or other third parties. Continue reading “FTC Wields Health Breach Notification Rule for First Time in Quest to Protect Consumer Health Information”

HHS Issues Proposed Changes to the HIPAA Privacy Rule

On December 10, 2020, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) issued a Notice of Proposed Rulemaking (“NPRM”) to modify the HIPAA Privacy Rule. HHS stated that the proposed modifications, which are being issued as part of HHS’s “Regulatory Sprint to Coordinated Care,” are aimed at removing barriers to coordinated care, strengthening individuals’ access to their own medical information, and reducing unnecessary administrative burdens. Proposed changes to the HIPAA Privacy Rule in the NPRM include: Continue reading “HHS Issues Proposed Changes to the HIPAA Privacy Rule”

The CARES Act Amends Federal Law Governing the Confidentiality of Substance Use Disorder Patient Records

The CARES Act (the “Act”), enacted on March 27, 2020, makes notable changes to federal law governing the disclosure of substance use disorder (“SUD”) records.  The Act amends 42 U.S.C. 290dd-2, the governing statute of the regulations at 42 C.F.R. Part 2 (“Part 2”) to better align certain of its confidentiality requirements with HIPAA. The amendments do not change the basic premise that prior written consent of the patient is required for disclosure of SUD treatment records. However, once prior written consent of the patient is obtained, the amendments allow a covered entity, business associate, or Part 2 program to use or disclose SUD records for purposes of treatment, payment, and health care operations as permitted by HIPAA. Any information so disclosed may then be redisclosed in accordance with the HIPAA regulations. The amendments also allow a patient’s prior written consent to be given once for all such future uses or disclosures for purposes of treatment, payment, and health care operations, until the patient revokes his or her consent in writing. Continue reading “The CARES Act Amends Federal Law Governing the Confidentiality of Substance Use Disorder Patient Records”

OCR Loosens HIPAA Enforcement Amidst Coronavirus Pandemic

Let’s face it, there has not been much positive news lately surrounding the Coronavirus (“COVID-19”).  However, the Office For Civil Rights (“OCR”), the agency within the Department of Health and Human Services (“HHS”) that enforces the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules, announced several recent measures to allow health care providers avoid certain HIPAA penalties and sanctions amidst the COVID-19 pandemic.

There are several measures OCR/HHS has taken to lessen the regulatory burden of HIPAA for health care providers amidst COVID-19.  Here is the latest breakdown of important pronouncements and guidance set forth by OCR/HHS to help providers deal with COVID-19 and HIPAA compliance:

Continue reading “OCR Loosens HIPAA Enforcement Amidst Coronavirus Pandemic”

Cybersecurity and Emergency Preparedness for Long-Term Care

On January 13, 2017, the Centers for Medicare and Medicaid Services (“CMS”) sent a Memorandum (“Memo”) to State survey agency directors encouraging long-term care providers to “consider cybersecurity when developing or reviewing their emergency preparedness plans.” The Memo was a follow-up to the CMS long-term care emergency preparedness rule published in the Federal Register on September 16, 2016: “Medicare and Medicaid Programs; Emergency Preparedness Requirements for Medicare and Medicaid Participating Providers and Suppliers.” Under that final rule, long-term care facilities were held to additional standards, including requirements to have emergency and standby power systems in place. Nursing homes were also required to create plans regarding missing residents that could be activated regardless of whether the facility has activated its full-scale emergency plan. The rule was spurred on by recent flooding in Baton Rouge, Louisiana, and other emergency disasters, such as Hurricane Sandy and the 2009 H1N1 pandemic, according to CMS.

Whether State surveyors will actually enforce lack of cybersecurity plans for emergency preparedness as violations remains to be seen from this Memo. But certainly, a State survey agency could impose deficiencies for failure to have a proper cybersecurity plan and/or a proper cybersecurity back‑up plan as part of a facility’s emergency preparedness going forward. It is not clear why CMS decided to send this encouragement Memo three months after the Final Rule on emergency preparedness, but it likely has something to do with the fact that 2016 was a banner year for HIPAA privacy infractions and HIPAA enforcement by the Office for Civil Rights (“OCR”), the entity responsible for HIPAA compliance. In 2016, payouts for HIPAA violations skyrocketed to record heights of $23.51 million from OCR enforcers against health care providers. That number was triple the previous record of almost $7.94 million in payouts in 2014, followed by $6.19 million in payouts in 2015.

Continue reading “Cybersecurity and Emergency Preparedness for Long-Term Care”

Government Cracks Down On Nursing Home Use of Social Media

On August 5, 2016, the Centers for Medicare and Medicaid Services (CMS) published a Survey and Certification Memorandum (Notice) urging State health departments to enforce violations by nursing homes in posting patient images on social media. This development was interesting given that the Office for Civil Rights (OCR), the enforcer of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, presumably should already be cracking down on any such violations of resident rights as a violation of HIPAA. According to Modern Healthcare, increased instances of nursing home staff inappropriately posting resident pictures on social media may have sparked this pronouncement by CMS.

Specifically, CMS will more strictly enforce, through State agencies, corrective actions to ensure that employee postings of residents in a degrading manner do not occur in the nursing home setting. Interestingly, the Notice does not discuss nursing homes reporting such employee conduct to OCR, but does indicate that employees should report such postings on social media of residents as abuse “to at least one law enforcement agency.” Continue reading “Government Cracks Down On Nursing Home Use of Social Media”

WellPoint Pays HHS $1.7 Million to Settle HIPAA Security Violations

Covered Entities Cautioned Regarding Use of Business Associates

On July 8, 2013, health insurer WellPoint, Inc. entered into a Resolution Agreement with the U.S. Department of Health and Human Services, Office for Civil Rights (HHS), agreeing to pay HHS $1.7 million to resolve an HHS complaint regarding violations of the HIPAA Privacy and Security Rules during the period of October 23, 2009, through March 7, 2010. WellPoint reported a breach of electronic protected health information (ePHI) on June 18, 2010, leading to an HHS investigation that commenced on September 9, 2010.

The WellPoint matter serves as a reminder to HIPAA-covered entities and subcontractors that are business associates to comply with the HIPAA Security Rule and to prudently oversee the services provided by these business associates.

Click here to read the full Alert.

Final HIPAA Wellness Program Regulations Issued Under Affordable Care Act

On June 3, 2013, the U.S. Department of Labor, Department of Health and Human Services, Internal Revenue Service, Employee Benefits Security Administration and Department of the Treasury published in the Federal Register final guidance regarding nondiscriminatory wellness programs under employer-sponsored group health plans. This final guidance was issued in the form of much-anticipated joint final regulations on such wellness programs (the “Final Regulations”). It is important to note that the Final Regulations will apply to wellness programs offered under all group health plans [regardless of whether the plan is “grandfathered” under the Patient Protection and Affordable Care Act (the “Affordable Care Act”)]. Moreover, these Final Regulations will be effective for plan years beginning on or after January 1, 2014.

Continue reading “Final HIPAA Wellness Program Regulations Issued Under Affordable Care Act”

HIPAA Marketing and Sale Provisions: Legal Potholes for Providers, Payors, Advertisers, Data Aggregators, Market Researchers and Others

The 2013 HIPAA Amendments directly apply to healthcare providers, plans and clearinghouses as “covered entities,” as well as their subcontractors and vendors as “business associates” (including their downstream subcontractors and agents). However, it is not just covered entities and business associates that need to understand the 2013 Amendments. Advertisers, data aggregators, market researchers and others that want access to PHI, even data that appear to be de-identified, will be impacted.

Continue reading “HIPAA Marketing and Sale Provisions: Legal Potholes for Providers, Payors, Advertisers, Data Aggregators, Market Researchers and Others”

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress