As appeared in the American Health Lawyers Association's Healthcare Liability & Litigation Health Briefs, on 9/9/09.
What happens if the offices of a covered entity are broken into and unsecured protected health information (PHI) of more than 500 individuals is stolen? With the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act,1 the ramifications to the covered entity and potential liability stemming from such a breach2 are significant to say the least. Not only is the covered entity required to notify the affected individuals of the breach of unsecured PHI,3 but also the covered entity must notify the media and the Department of Health and Human Services Secretary (HHS Secretary) of potentially damaging information concerning the breach. The HITECH Act's requirement to report details of a significant breach not only to the affected individuals but also to the media and the Secretary may negatively impact the covered entity's goodwill in the community and cause a loss of business. Of particular concern to the covered entity's litigation counsel, though, is the potential liability that the covered entity may face due to the breach.
Under the HITECH Act, a covered entity is required to notify individuals of a breach of unsecured PHI and provide the affected individuals with the following information: (1) a description of what happened; (2) a description of the type of unsecured PHI that was involved in the breach; (3) steps the individuals should take to protect themselves; (4) a description of what the covered entity is doing to investigate the breach, mitigate harm to the individual, and ensure that a similar breach does not occur; and (5) contact information if the individual has questions.4 Having to detail the nature of the breach, the type of PHI compromised, and what steps the covered entity has taken to mitigate any harm places the covered entity in a precarious position because disclosing such information may be deemed an admission against the covered entity in future litigation brought by affected individuals.
Indeed, the affected individuals may rely upon the notification and the potential admissions contained therein to bring suit against the covered entity under federal or state law. Thus, even though the covered entity abides by the notification rules under the HITECH Act, the fact that there was a breach of unsecured PHI may cause the covered entity to face various liability risks. For example, the breach by the covered entity may violate state patient privacy laws. Or, the covered entity may face liability under various federal statutes, such as the Public Health Services Act if substance abuse treatment records are compromised.5 Other examples include the improper disclosure of a diagnosis of a disease, which may cause the covered entity to face liability for intentional or negligent infliction of emotional distress, among other theories. Or, if Social Security numbers are compromised, the covered entity may face liability for financial losses associated with identity theft.6 Because the covered entity may face a variety of liability risks under federal and/or state law, the risk of the notification under the HITECH Act being treated as an admission against the covered entity could have far-reaching, negative consequences in litigation.
Also increasing the risk of potential liability is the fact that the same information contained in the notification to the affected individuals also must be provided to the media.7 Thus, not only will the general public have access to the details of the breach but competitors will have access to the more damaging information concerning how the breach occurred and what information was compromised. Although publication in the media will not provide the affected individuals with any additional information, it could increase the risk of litigation: (1) by encouraging affected individuals, who may not have otherwise acted upon their personal notification, to pursue litigation against the covered entity; and (2) by educating plaintiffs' counsels about the breach and who then may seek out the affected individuals for representation.
Although the HITECH Act's breach notification rules are not yet effective,8 what is quite apparent even now is that the breach notification rules will almost certainly foster litigation, particularly for significant breaches affecting more than 500 individuals.