An interesting ruling from the Connecticut Supreme Court came down this past week. The justices ruled that a woman can sue her doctor for negligence if the physician violates regulations that dictate how practices must maintain patient confidentiality as outlined under HIPAA.
The Lawsuit
According to her lawsuit against the practice, the plaintiff learned that she was pregnant, but since her relationship with the father had gone south, she gave instructions to her OBGYN to not release any information to the father of the child, which is well within her rights.
Her medical information was subpoenaed in a lawsuit, and the center did not notify the woman that the pregnancy information was requested, or seek legal guidance on how to proceed. In short, the center violated its own privacy policies, and illegally released this information to the court — thus the suit.
Connecticut is the 4th state (along with North Carolina, Missouri, and West Virginia) to rule patients can sue their doctors directly using HIPAA as a standard of care. This means the patients aren’t actually suing for a HIPAA violation, but suing providers saying HIPAA Privacy and Security are reasonable expectations from your health care provider.
These rulings are quite significant, and they may open the way for more lawsuits in other states. The question is, will other state courts rule in the same way as these four, and will this apply to all Covered Entities, Business Associates, and Business Associate Subcontractors?
Standard of Care
The Omnibus ruling treats Covered Entities (hospitals, doctors, insurance carriers, and employers), Business Associates (those who support Covered Entities, ex. insurance agents, IT providers, remote storage), and Business Associate Subcontractors (companies that support Business Associates) as equals when it comes to protecting PHI. This means they are all subject to the same fines and penalties. Does this suit open the door?
With these rulings, theoretically, you could reasonably expect anyone you give your Protected Health Information (PHI) to protect that information using the HIPAA Standards. And, if there is a release that harms the person, like the claim in the Connecticut Case, you could potentially be open to fines from HHS, the state Attorneys General, and possibly a lawsuit from your clients.
If the threat of audits and fines from HHS weren’t enough for everyone out there, this should be a wake up call! I’ve spoken to many folks who are ignoring this law, saying, what are the odds HHS is going to come audit me? Perhaps HHS won’t come knocking, but a client, employee or patient might.
So, what do you do?
- Make sure you have proper Privacy and Security Policies and Procedures in place. These are you guidelines on how you will protect your clients’ and patients’ information. You are required to have these documents; HHS, and your State Attorneys General will look for these first if there is an issue. These documents will also be required if there is a lawsuit against your practice or company. We have templates that will assist you in creating these documents. If you don’t have these, it’s like going to an IRS audit without tax returns…Who does that??
- Train your employees on HIPAA Standards. They are your first line of defense, and where most HIPAA violations happen. Make sure they know what HIPAA is to protect your patients, clients, employees and business/practice.
If you don’t have these items, or know where to start, we can help you with our industry specific, online, comprehensive Training and Compliance Documents.