Is there no hope for plaintiffs when it comes to winning HIPAA data breach lawsuits? According to Al Saikali from Shook, Hardy, & Bacon, the answer is “don’t bet on it.” He shows that there are at least two instances where plaintiffs managed to get a settlement out of covered entities that caused a PHI data breach. But then, I’d be the first to point out that you can rely more on HIPAA-approved encryption software than on judges willing to quash lawsuits.
Two Suits Settled
The two lawsuits that are being settled out of court are Burrows v. Winn Dixie and Resnick/Curry v. AvMed, Inc. Of the two, the latter one has been covered in this blog. It’s also the more interesting one, as the lower courts had already judged in AvMed’s favor, only to find the 11th Circuit Court of Appeals reversing it.
(If you’ll recall, two unencrypted laptop computers were stolen from AvMed’s offices, resulting in 1.2 million people being affected. The plaintiffs made an interesting accusation that AvMed had essentially tricked them into believing they were HIPAA compliant when they weren’t, as evidenced by the theft of the unencrypted laptops.)
Looking through the settlement notice (PDF), we learn that AvMed is not willing to admit to any wrongdoing… and that’s about the only thing we do learn.
HIPAA: Encryption Is Your Friend
The definition of insanity, according to some, is doing the same thing over and over and expecting different results. I think that it’s an excellent depiction of HIPAA covered entities. As far as PHI goes, they’re insane.
Would patients feel upset about thieves possessing their personal information and medical history? Yes.
Do they have reason to feel upset? Of course. Identity theft is a big problem.
Are laptops, external hard disks, USB sticks, and other digital storage devices stolen or lost by medical entities every year…heck, every month? Yes.
Does all of the above point towards a guarantee of sorts that people will be upset at one medical organization or another in any given month because of a data breach? Yes.
Is the Office of Civil Rights at the Department of Health and Human Services flexing their muscles and levying $1.5 million penalties? Yes.
Can the use of encryption on laptops and other devices basically do away with all data breach problems? Yes
And yet here we have another organization that produces revenue in the multimillions that is caught without encryption on their laptops, somehow assuming that nothing untoward will happen to them (at least, that must be the reason why they’re not using encryption. Otherwise, the lawyers really would have a reason for arguing neglect, no?).
If that’s not insanity, I don’t know what is.
Related Articles and Sites: