The Connecticut case of Emily Byrne vs. Avery Center for Obstetrics and Gynecology may be a trend-setter where healthcare providers and business associates could be at legal risk by failing to follow the HIPAA regulation or other privacy regulation. In this case, a patient sued the healthcare clinic for releasing her medical records to a third party, under subpoena, without informing her or getting her permission, a case that show cases the impact of data breaches.
As a result of releasing the medical records to a third party, by Avery Center for Obstetrics and Gynecology, the patient’s ex-boyfriend viewing her “highly sensitive” health records, used them to harass, embarrass and extort her. While HIPAA doesnot allow individuals to file lawsuit to claim violation of their privacy under the HIPAA regulations, the plaintiff in the Connecticut case alleges that the clinic was negligent when it released confidential health records instead of protecting the patient’s information, a violation of HIPAA. Since the Connecticut Supreme Court ruling allowed for negligence claim for the alleged violations of HIPAA privacy standards, attorneys are explaining the HIPAA ruling.
However, health data breach lawsuits filed under statutes other than HIPAA required plaintiffs to show the impact of the breach. The case against Sutter Health was one such case which was dismissed by courts as plaintiffs failed to show evidence of harm such as identity theft or fraud, caused by the breach. Nevertheless, even under HIPAA ruling the impact of breaches on victims plays a vital role while alleging HIPAA negligence. Therefore standards set forth in HIPAA both for privacy and data breaches calls enterprises to place regular safegaurds to protect patient information.
The healthcare establishments today receive heightened attention from regulatory bodies enforcing penalties for data breaches. The Connecticut Supreme Court through its ruling in the Byrne case sends a clear message to the healthcare providers and their business associates to keep away the practice of poor encryption and put in place an appropriate program to prevent any data breaches. In case they fail to follow HIPAA, ruling leaving an impact on breaches, they face legal risks.
With the HIPAA Omnibus Rule effectvie since 2013, business associates and covered entities handling patient health information are directly responsible for HIPAA compliance and must encrypt data and avoid mistakes of exposing data. Besides, the use of Aegify security and compliance monitoring system will ensure these covered entities, a continuous security monitoring and effective compliance that demystifies the complex compliance regulations. Since the Aegify solutions addresses the security and compliance requirements of covered entities as well as business associates, individuals can be assured that their private healthcare data remains safe and secure.