As you’ve likely noticed, we attempt to liven up the world of HIPAA and all things related…it isn’t easy. HIPAA gets modified, medical records are breached (again), someone sues someone else, etc., etc., etc. After awhile, the entire discussion sounds a bit like a broken record skipping.
Thats why we like to find that pristine copy of “Dark Side of the Moon” hidden in the back of the vintage record shop, and put it on the turntable. It hasn’t been played since 1978 and it still creates static as you pull it from the record jacket. It’s this unfettered, non-skipping record that allow one to break through the annoying background noise to try to figure out how song #3, “On the Run,” relates to song #6, “Money”…remember how you’d listen to the whole album/conversation to put together the big picture? (PS: if we have to explain these references because you’ve never heard of Pink Floyd or an LP record, then this entry isn’t for you…go to another browser window immediately).
When we read the following article by Al Saikali, we had one of those “found a pristine copy of Dark Side of the Moon” moments. Mr. Saikali describes how, in Resnick/Curry v. AvMed, Inc. in the Southern District Court of Florida, a settlement was reached for $3,000,000 in the loss of two laptops containing un-encrypted patient insurance information. In the settlement, the 11th Circuit Court wrote an opinion supporting the plaintiff’s contention that although the litigants had not been shown to suffer damage (yet), a portion of the insured’s premiums were supposedly to have gone to the securitization (e.g. encryption) of patient data, employee training on proper HIPAA protocols, etc. Given that the defendant did not, apparently, spend $ in those areas (as evidenced by the breach), the plaintiffs had standing to sue. Apparently the defendants took this as writing on the wall and decided to settle.
So how does this take us back to the “Dark Side of the Moon” reference? Well, we’ve been keeping track, and this past year has been quite interesting on the breach litigation front. First, Clapper v. Amnesty International said there had to be proven harm in order for the plaintiff to win in a breach case…one would think this would have emboldened the defendants in Resnick/Curry v. AvMed, but read on. Subsequently, Hinchy v. Walgreens pointed out that HIPAA could be used as a weapon in breach cases regardless of harm, and by private citizens no less, where it illuminated that a Covered Entity had not met the industry standard for patient data security. Now, in Resnick/Curry v. AvMed, Inc., we have a settlement, based in large part on a Circuit Court opinion, pointing out that, regardless of harm, the plaintiffs had a basis to sue on the expectation that some of their premium was going toward securing their patient data and it was not apparently secured.
The final outcome is that there is no final outcome. There appears to be a balance establishing itself in the courts. Proof of harm in a breach is being balanced by an expectation that patient data is secured according to industry standards (i.e. HIPAA). There may indeed be a test case that makes its way to Supreme Court some day, tilting this balance one way or the other, but in the interim this is where we appear to be.
Now, as for the link between “On the Run” and “Money,”, come on, really? And on that note, it is time for us advance the turntable arm to the last two songs, “Brain Damage” & “Eclipse,” and bid you adieu.