Michael D. Bossenbroek, a partner at Wachler & Associates, P.C. in Royal Oak, Michigan, receives regular inquiries from patients wanting to sue their doctors after their protected health information (PHI) had been breached. His response to them: You cannot file a federal lawsuit for a HIPAA breach. “I suspect a lot of people wish that wasn’t the case,” he said.
Patients are beginning to file under state invasion of privacy and negligence laws, however, which they often are motivated to do when particularly sensitive information is leaked, such as pregnancy and the presence of a mental health condition, HIV infection, and sexually transmitted diseases.
Physicians might not deal frequently with such sensitive information, but with an increasing number of these lawsuits being filed, it is wise to take steps to avoid such unauthorized disclosures and be aware of the legal environment.
If a state statute or tort could allow a patient to file suit arising out of the improper use or disclosure of PHI, the plaintiff might appeal to HIPAA standards to prove liability, but it is not necessarily required in every situation.
Bossenbroek said it is difficult to find attorneys who are willing to take the cases. George Indest III, president and managing partner of The Health Law Firm in Orlando, agrees, saying few attorneys are familiar with these causes of action. One reason few lawsuits related to PHI breaches are filed is the difficulty proving that a plaintiff suffered true harm as a result of leaked information. Even if there was harm, plaintiffs have to prove damages to file a viable negligence case. Damages have to be substantial enough for attorneys to justify the time and money spent litigating a case.
One recent negligence suit was filed after Mount Sinai St. Luke’s Hospital faxed a patient’s PHI to the fax machine where he works. According to a press release by the attorney who took the case, Jeffrey Lichtman, the patient had requested a copy of his medical file by filling out a release asking the information be mailed to his home. Three days later, a colleague brought the plaintiff a copy of his medical record after receiving it from the mail room staff. The paperwork included his HIV-positive status and treatments, other previous sexually transmitted diseases, information on his former physical abuse and mental health history, medication information, and Social Security number.
According to the attorney, the hospital reported the violation and received a $387,000 fine from the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). But the man had not told his family, friends, or co-workers about his HIV status. He quit his job due to stress and lost his health insurance. The attorney said he reached out to the hospital to discuss a settlement and they declined. He is now suing for $2.5 million in damages.
More lawsuits likely to be filed
Indest said these suits will likely become more prevalent as attorneys hear about them and verdicts favor patients. Judges, he said, are also becoming more knowledgeable of these lawsuits as an increasing number of decisions are published. As a result, they may be less likely to dismiss cases involving unauthorized release of PHI. In response to this, physicians need to ensure their professional liability insurance covers these kinds of cases, including breach of patient confidentiality.
If providers inadvertently disclose PHI, they should take steps to mitigate the damage, said David Zetter, a member of the National Society of Certified Healthcare Business Consultants. For example, if medical records are sent somewhere incorrectly, they should contact the patient and let them know, and document procedures they will be making to keep it from happening again.
Indest encourages physicians to discuss these issues with patients when they happen and attempt to “work it out.” “Sometimes all the patient or next of kin wants is information and to know that the physician cares,” he said. “Sometimes a small token payment or concession is all that it will take to satisfy the patient.”
But Indest cautions that doctors should never undertake any kind of action without the advice of their attorney and insurance company. This is particularly true if the threat of litigation is present. “As a risk manager as well as an attorney, my risk management advice is that if you can pay a reasonable ‘settlement’ or compensation to satisfy the patient and end the risk of a possible case, then do so,” he said.
Aside from lawsuits and filing with OCR, patients can also file complaints with the state agency where a physician is licensed. If a physician is found at fault, he or she might be subject to administrative disciplinary sanctions. License suspension or revocation and fines are possible in the worst-case scenario.
Today, however, patients are most likely to file a complaint with OCR, and physicians will be dealing with that agency when it comes to investigations and fines. The first thing physicians should do when they find out a complaint or suit has been filed is to consult with their attorney and liability insurance provider.
Lastly, the door may be opening to the filing of federal lawsuits for HIPAA violations. In August, a federal class-action lawsuit was filed against Aetna claiming the company sent letters to about 12,000 patients with information regarding prescription HIV drug orders visible through the envelope’s window.