HIPAA-related lawsuits came to the attention of Alexander Wolff when a fellow attorney called him with a case a few years ago. The plaintiff was a woman and friend of a man who was dating a nurse. The nurse, who worked at a hospital where the plaintiff received healthcare, was suspicious that the plaintiff and man were having an affair, so she accessed the woman’s chart. The nurse sent the man screen shots of the woman’s records. When he received the screen shots, he told the plaintiff.
Wolff, a partner at Wolff & Wolff Trial Lawyers in St. Louis, Missouri, took the case and went to the hospital with the information and photos. The organization quickly settled the case, paying more money than he had anticipated. “They clearly wanted to make it go away,” he said.
This initial case put HIPAA breach law on his radar.
Personal injury attorneys typically want objective evidence of injuries, such as X-rays or computed tomography scans. After Wolff took his first case and did some research, he realized he had happened upon a new kind of injury that would be hard to define.
For Wolff to take a case, he must be able to prove damages. His first client was humiliated and suffered sleepless nights for weeks. She was embarrassed her friend found out her personal information, but her real concern was who else might know.
“She had no idea who else this nurse had told and there is no way to put that toothpaste back in the tube,” Wolff said.
The plaintiff did not feel comfortable going back to the hospital where the breach occurred. Afterward, she found it difficult to reengage with the medical community in general.
Courts recognize a few different actions against providers who have a breach. Wolff said the suits are typically filed under breach of fiduciary duty, breach of contract, or negligence. State attorneys general can bring a class action civil suit on behalf of people harmed by a HIPAA violation.
State laws regulating HIPAA suits vary widely. In some an employer can be found liable for a snooping employee; in others, that’s not the case.
Wolff said he signs up about 1 in every 10 patients who consult with him about suing a provider for an information breach. Many have legitimate cases, but these cases either cannot be proven or are weak. Factors affecting his decision to take a case include the sensitivity of the information, how it was transmitted, how many people might have seen it, and strength of the evidence to prove the case.
What potential plaintiffs want also matters, Wolff said. He typically will not take a case if they are just seeking money, but he listens when patients say breaches destroyed their lives and they want to ensure it does not happen to anyone else.
HIPAA compliance officers can only force providers to make changes within an organization to avoid future breaches, but the only recourse for patients who have been harmed by breaches is to sue for damages. This can be an effective deterrent.
“Conduct rewarded is conduct repeated,” he said. “If they [providers] are hit in the pocketbook, they will retrain staff and make sure there is no second time.”
The settlements and jury awards in these cases vary widely and can be well into 6 figures, depending on the facts and whether disclosure was accidental or intentional. “It’s like the difference between a car crash from someone skidding on ice versus one caused by someone who drives drunk and totals a car,” he said.
A woman in St. Louis, Missouri, whose mental health records were released to her ex-husband during custody suit settled a case for $385,000. In that case, the ex’s attorney subpoenaed the records and, without notifying the patient, the hospital mailed the records to the attorney.
In a case in Alabama, a jury awarded $300,000 after a doctor accessed a woman’s drug history from the state’s prescription monitoring program. The woman was in a custody battle with her ex-husband, and his current wife asked the doctor to retrieve the records. The plaintiff sued the hospital for failing to discipline the doctor after notification of the breach.
Some organizations are more likely to take cases to court than settle, such as when evidence is weak, Wolff said. Providers often settle to avoid publicity and because they know the damages from a HIPAA breach will resonate with juries, Wolff said. He added that he prefers to settle cases “if the value is there, but I am ready and willing to file suit if the provider does not take the complaint seriously or makes a low offer that does not satisfy my client.”
He also prefers to settle with providers if this would make them less prone to future mistakes. “If you choose to operate a healthcare facility, you have to take it upon yourself to make sure employees are trained not to snoop on patients,” he said.
An important way to prevent lawsuits is to perform consistent IT audits. Providers must understand who has access to different parts of an electronic medical records system and, when possible, allow staff to access only those parts of the system that enables them to do their jobs.
“They have to have the flexibility to be able to do jobs,” Wolff said. “But there should be firewalls built into the system to keep people from doing things to expose you to trouble.”