HIPAA compliance is not the end of liability for compromising patient privacy

HIPAA Compliance is Just the Start

You think you’ve got HIPAA compliance handled, in order to try to stay ahead of steep federal penalties, and then learn that is just the beginning of the story.

HIPAA compliance itself is thorny.  The statute isn’t written in English—aliens landed from another planet onto the Capitol and wrote it according to their customs and culture.  Seriously.

If you’d like the anthropologist’s version, you can read our 8-part series, including:

HIPAA Omnibus Rule: Part 8 (Breach Analysis)

The HIPAA Omnibus rule makes a number of additional important changes to breach analysis in case of a breach of unsecured PHI.

HIPAA Omnibus Rule: Part 7 (Notice of Privacy Practices & Other Provisions)

The Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic […]

HIPAA Omnibus Rule: Part 6 (Business Associate Agreements)

The new HIPAA Omnibus Rule requires that some changes to the rules about business associate agreements must be made.

HIPAA Omnibus Rule: Part 5 (Privacy Rule Changes)

The HIPAA / HITECH Privacy Rule has been changed.

HIPAA Omnibus Rule: Part 4 (Security Rule Changes)

The Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic […]

HIPAA Omnibus Rule: Part 3 (Enforcement & Penalties)

The Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic […]

HIPAA Omnibus Rule: Part 2 (Business Associates & Subcontractors)

Business Associates and subcontractors have expanded obligations under the Omnibus Rule.

HIPAA Omibus Rule: Part 1 (Overview)

The Department of Health and Human Services Office for Civil Rights (OCR) released its final rule, Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under […]

These are much more fun than taking melatonin.

Or see our prior posts about common HIPAA violations, HIPAA breaches, and how you scale HIPAA to a doctor’s office or other venture:

Common HIPAA privacy and security violations flagged

Common HIPAA violations are flagged by HIPAA Helper, a publication of ProPublica,an “independent, non-profit newsroom that produces investigative journalism in the public interest.”

Healthcare hacks and data breaches increasing, even as HIPAA compliance grows

Is your data safe? Healthcare hacks and data breaches increasing, even as HIPAA compliance grows.

Does HIPAA scale for a physician practice? Is HIPAA compliance mandatory?

HIPAA sounds like “hippo” for a reason: it’s big, clunky, noisy, and unwieldy. Can, and should, a small physician practice implement HIPAA practices?

Are your privacy and security practices HIPAA compliant?

Even if HIPAA doesn’t technically apply to your wearable tech venture, mobile medical app, or telemedicine project, state laws have mirror privacy and security provisions with which your […]

Can you make HIPAA Privacy & Security easy for a small doctor’s office or other practice?

Making HIPAA compliance easy is like trying to catch a firefly in your hand.

HIPAA Laws Mandate HIPAA Policies & Procedures, HIPAA training, and HIPAA compliance implementation even for small medical practices (and business associates)

HIPAA compliance is mandatory, not optional, with both federal and state governments stepping up HIPAA enforcement.

Increasingly, compliance for the sake of avoiding government penalties is the tip of the iceberg.  Plaintiff class action lawyers are on the hunt for violations of law.  In California, they often add claims such as fraud or unfair and deceptive business practices.  Maxwell Smart would have called it, “the old 17200 in the finger trick!” (after the popular Business & Professions Code section that plaintiffs’ lawyers so often rely on to scare quick settlements out of their marks).

MD Class Action Privacy Lawsuit Strikes HIPAA Fear

In the heart of HIPAA darkness and a round aimed at telemedicine, one class action law firm launched privacy lawsuit against MDLive.

According to an article in MedCity news, MDLive hit with class-action lawsuit over patient privacy issues, MDLive received a class-action lawsuit alleging the MDLive  does not protect patients’ protected health information. The lawsuit sought $5 million in damages.

The complaint alleged that MDLive took screenshots of information entered by patients into the MDLive app and “covertly,” without notifying patients, shared these screenshots with TestFairy, an Israeli technology company that tracks user experiences and locates and reports on potential bugs inside the app.

According to MobiHealthNews, the plaintiffs’ law firm that filed the complaint, was “notorious … for filing lawsuits related to privacy and security.”

More recent news is that the class-action lawsuit has been dismissed, first voluntarily by the lead plaintiff without prejudice, and thereafter by a federal judge, with prejudice. Another article (in mHealthSpot) reports that the lawsuit was resolved, without any settlement being paid by MDLive to the plaintiff.

The Telemedicine Giant Responds

MDLive’s responded publicly in Setting the Record Straight.

Here MDLive states, among other things, that with respect to compliance:

  • There was no data
  • MDLive complies with “all applicable privacy laws and ”
  • No data was shared with unauthorized third
  • TestFairy has no access to patient information that arises from patient- physician

Importantly, the Fact Sheet provides a cogent explanation of the way MDLive does share information with third parties:

  • “Authorized third parties are bound by contractual obligations and applicable laws to keep personal information confidential and use it only for the purposes for which we disclose it to ”
  • “Our privacy policy tells members who register that we may disclose their personal information to contracted third parties we use to support our business, such as the use of the TestFairy ”

Test fairy, tooth fairy.  MD Live had a privacy policy, and said that it shared data in the same way that many companies do – to vendors in a limited way.

A good place to look at additional risk mitigation measures a future company in MD Live’s position might take, is the “minimum necessary” rule under HIPAA – i.e., that disclosures of PHI should be limited to the minimum necessary under the circumstances.

Avoiding HIPAA Litigation

This suggests several takeaways for a Company seeking to learn lessons from the MD Live lawsuit.

  1. Amp up HIPAA compliance with an eye to third-party class action trolls.

If the Company claims HIPAA compliance, then the Company should be sure to have in place not only a Privacy Policy, but also all the policies, procedures and forms required under HIPAA, as well as other planks of HIPAA compliance such as:

  • HIPAA training for all the workforce
  • appointment of HIPAA Privacy and Security
  1. Guard against data breaches: Policies and procedures with respect to data breaches should also be in place, including policies with respect to disciplining employees responsible for sharing unauthorized PHI (protected health information) or other data breaches.
  1. Draft a robust Privacy Policy: The Privacy Policy should contain the boilerplate language allowing the Company to disclose personal information to contracted third-parties that the Company uses to support its business operations.
  1. Have subcontractors execute a BAA (Business Associate Agreement): To the extent that third parties would be considered Business Associates or subcontractors of the Company under HIPAA, the Company should have executed Business Associate agreements under which such third parties agree to abide by HIPAA.
  1. Adopt the “minimum necessary policy” and limit disclosures.

A cardinal principle of HIPAA is that only the minimum necessary information should be disclosed to accomplish the intended purpose of the disclosure. This would be good to keep in mind when making disclosures to third parties, as the boilerplate described in # 2 above is not a panacea but rather a general statement of policy.

It was probably beneficial to MDLive that the information at issue did not involve patient information from patient-physician consultations, and presumably was only shared for the purpose of facilitating testing of the app.

The Bottom Line

Although healthcare law can be highly specialized, and HIPAA compliance can be arcane and tedious, privacy and security issues rarely arise in a vacuum.  To properly deal with the many regulatory and compliance headaches that can assail a healthcare practice or business, it’s helpful to have legal counsel familiar with the many cross-cutting arenas of legal exposure.  Drafting good policies and procedures is just a start; anticipating exposure and putting in place good risk management protection is also critical.  Contact us if you’d like legal advice about HIPAA, medical privacy and security, or related legal arenas.

Contact Us

    Book your Legal Strategy Session now
    Michael H Cohen Healthcare & FDA Lawyers

    Contact our healthcare law and FDA attorneys for legal advice relevant to your healthcare venture.

    Start typing and press Enter to search