Total Networks

Government fines have long been the most visible consequence of failing to comply with the Health Insurance Portability and Accountability Act (HIPAA) and other federal and state privacy laws. But in recent years, private party lawsuits have also succeeded using HIPAA requirements as evidence of negligence or malpractice.

Why this matters for businesses: Even if you’re not directly subject to HIPAA, privacy laws are expanding, and HIPAA standards are increasingly used as the yardstick for evaluating data protection practices in lawsuits.

The Walgreens Case

In 2013, an Indiana jury awarded $1.44 million to a customer after a Walgreens pharmacist accessed her confidential medical history without authorization.

The pharmacist’s husband had an affair with the woman, resulting in a child. Suspecting the woman of transmitting a sexually transmitted disease, the pharmacist viewed her records and shared this confidential medical information with her husband. He then attempted to use that information to pressure the woman into dropping her child support claim.

The pharmacist admitted she knew her actions violated privacy policies. Walgreens argued her conduct was unauthorized and personal. The jury still found Walgreens 80% responsible, with the pharmacist responsible for the remaining 20%.

I did not sue Walgreens for violating HIPAA, I sued Walgreens for negligence, but I used HIPAA to prove that Walgreens was negligent. Similarly, I did not sue the pharmacist for violating HIPAA, I sued her for professional malpractice, but I used HIPAA to prove that what she did fell below the commonly accepted standard for privacy protection.

The Expanding Legal Landscape

Privacy breaches are increasing, and legal standards are evolving. HIPAA requirements, while originally designed for healthcare, are now used to support negligence and malpractice claims in other industries.

Even if your business isn’t formally subject to HIPAA, acting as though you are may be the safest approach. You may eventually be held accountable to this standard. Many organizations are already subject to other privacy laws where HIPAA’s requirements could influence the standard of care expected in court. (And this is all separate and in addition to your ethical responsibilities.)

Complying with the law here is much more complex than people assume. The FBI has noted:

"The biggest vulnerability was the perception that their current perimeter defenses and compliance strategies were working when clearly the data states otherwise."

Top 10 Security & Compliance Guidelines For Your Firm:

1. Assess risks in maintaining privacy and security and then update and/or establish policies and safeguards to ensure all parties with access to your data (including any subcontractors and their subcontractors) will keep information confidential and your environment secure.

2. Obtain written assurances from employees and contractors that they will follow procedures. Note: simply getting a Business Associate Agreement (as required by HIPAA) is not enough. Be sure vendors understand and meet the requirements.

3. Designate a single individual with authority to oversee your firm’s security and privacy.

4. Ensure that your policies and procedures support the concept of minimum necessary use and disclosure.

5. Clearly communicate with clients and obtain consent for how their information will be used.

6. Ensure you have a system in place to train and manage your employees on privacy policies, recognizing breaches, and how to respond.

7. Evaluate any instance where firm data is not currently encrypted. Encrypt sensitive data wherever possible. Encryption often provides safe harbor in breach situations.

8. Engage a third party to review policies and procedures.

9. Discuss privacy law compliance with clients and evaluate risks and opportunities together.

10. Consider potential consequences for third-party injury as a result of failure to comply.

At Total Networks, we help organizations strengthen privacy practices, align with industry standards like HIPAA, and reduce the risk of both regulatory penalties and private lawsuits.