Health Information Compliance Alert

Published on Thu Apr 16, 2015 PDF

How breach of contract claim may directly impact your NPP.

Sure, the federal HIPAA regulation bars any “private right of action,” but that doesn’t mean your patients can’t sue you for a data breach of their protected health information (PHI). In fact, an increasing number of lawsuits are arising from healthcare data breaches, and the most recent Premera Blue Cross breach is no different.

The fact that there is no private right of action under HIPAA “is a source of comfort for many healthcare entities,” noted Seattle-based healthcare attorney Casey Moriarty with Ogden Murphy Wallace Attorneys (OMW) in a March 27 firm blog posting. “Of course, patients can file complaints with the Office of Civil Rights or State Attorneys General, but a ‘HIPAA cause of action’ does not exist.”

Nevertheless, as healthcare breaches occur, many different class action lawsuits against healthcare entities have arisen. In the most recent breach, Premera is facing a class action lawsuit, which alleges a variety of causes of action. So how are class action attorneys getting around the no-private-right-of-action rule under HIPAA? Moriarty illustrates four causes of action that Premera is facing:

1. Negligence: The first cause of action Premera is facing is negligence, for which the plaintiffs must show that the insurer: 1) had a duty to the plaintiffs; 2) breached that duty; 3) caused the plaintiffs to suffer damages; and 4) committed acts that caused the damage. 

The plaintiffs allege that Premera had a “duty” to keep their personal information secure and breached this duty by failing to secure its IT systems, which directly caused the plaintiffs damages related to improper disclosure of their PHI.

2. Bailment: In the second cause of action, “‘bailment’ arises when personal property is delivered to another for some particular purpose with an express or implied contract to redeliver when the purpose has been fulfilled,” Moriarty explained. The plaintiffs allege that they provided Premera with their personal information with the understanding that the insurer would adequately safeguard it, and Premera breached its bailment by failing to protect the information that resulted in the data breach.

3. Breach of Contract: The complaint alleges that Premera’s Notice of Privacy Practices (NPP), which the plaintiffs purport is a type of contract, states that the insurer must take measures to protect each beneficiary’s PHI. “Whether or not an NPP is actually a contract between a covered entity and individuals, this allegation should motivate healthcare entities to be careful in drafting their NPPs,” Moriarty warned.

4. State Data Breach Claims: Although there is no private right of action under federal HIPAA regulations, that doesn’t mean your state has the same laws. In the complaint, the plaintiffs allege that Premera violated the Washington state data breach notification regulation, under which affected individuals may bring claims for violations of this statute.

What’s more: In addition to the class action lawsuit, Premera is also now facing serious scrutiny from state insurance commissioners. Insurance regulators in Washington, Oregon and Alaska are calling for an investigation and market conduct exam to probe Premera’s finances, records and transactions, according to a March 27 Nixon Peabody LLP blog posting by Rochester, NY-based associate attorney Kate A.F. Martinez.

“Washington will reportedly supervise the investigation, with Oregon and Alaska taking lead roles,” Martinez said. The potential scope of the investigation may include Premera’s breach response and the corrective actions it has taken, the cybersecurity issues related to the breach, and the breach’s financial impact on Premera, its providers and its consumers.