Category Archives: Legal

Dark Side of the Moon

220px-Dark_Side_of_the_Moon copyAs you’ve likely noticed, we attempt to liven up the world of HIPAA and all things related…it isn’t easy.  HIPAA gets modified, medical records are breached (again), someone sues someone else, etc., etc., etc.  After awhile, the entire discussion sounds a bit like a broken record skipping.

Thats why we like to find that pristine copy of “Dark Side of the Moon” hidden in the back of the vintage record shop, and put it on the turntable.  It hasn’t been played since 1978 and it still creates static as you pull it from the record jacket.  It’s this unfettered, non-skipping record that allow one to break through the annoying background noise to try to figure out how song #3, “On the Run,” relates to song #6, “Money”…remember how you’d listen to the whole album/conversation to put together the big picture? (PS: if we have to explain these references because you’ve never heard of Pink Floyd or an LP record, then this entry isn’t for you…go to another browser window immediately).

When we read the following article by Al Saikali, we had one of those “found a pristine copy of Dark Side of the Moon” moments.  Mr. Saikali describes how, in Resnick/Curry v. AvMed, Inc. in the Southern District Court of Florida, a settlement was reached for $3,000,000 in the loss of two laptops containing un-encrypted patient insurance information.  In the settlement, the 11th Circuit Court wrote an opinion supporting the plaintiff’s contention that although the litigants had not been shown to suffer damage (yet), a portion of the insured’s premiums were supposedly to have gone to the securitization (e.g. encryption) of patient data, employee training on proper HIPAA protocols, etc.  Given that the defendant did not, apparently, spend $ in those areas (as evidenced by the breach), the plaintiffs had standing to sue.  Apparently the defendants took this as writing on the wall and decided to settle.

So how does this take us back to the “Dark Side of the Moon” reference?  Well, we’ve been keeping track, and this past year has been quite interesting on the breach litigation front.  First, Clapper v. Amnesty International said there had to be proven harm in order for the plaintiff to win in a breach case…one would think this would have emboldened the defendants in Resnick/Curry v. AvMed, but read on.  Subsequently, Hinchy v. Walgreens pointed out that HIPAA could be used as a weapon in breach cases regardless of harm, and by private citizens no less, where it illuminated that a Covered Entity had not met the industry standard for patient data security.  Now, in Resnick/Curry v. AvMed, Inc., we have a settlement, based in large part on a Circuit Court opinion, pointing out that, regardless of harm, the plaintiffs had a basis to sue on the expectation that some of their premium was going toward securing their patient data and it was not apparently secured.

The final outcome is that there is no final outcome.  There appears to be a balance establishing itself in the courts.  Proof of harm in a breach is being balanced by an expectation that patient data is secured according to industry standards (i.e. HIPAA).  There may indeed be a test case that makes its way to Supreme Court some day, tilting this balance one way or the other, but in the interim this is where we appear to be.

Now, as for the link between “On the Run” and “Money,”, come on, really?  And on that note, it is time for us advance the turntable arm to the last two songs, “Brain Damage” & “Eclipse,” and bid you adieu.

For Every HIPAA Yin, a HIPAA Yang

YinYang-1I’m staring out the window at the East side of Portland, OR as I write this.  The clouds have finally started to roll in, likely spelling an end to a spectacular Portland summer.  The 60-90 days between late June and late September where we can count on sun, low humidity, and temperatures in the 80’s are Yin to 300-or-so days of cold, wet, and cloudy Yang.  Alas, Yin, we shall miss you, but Yang, you do keep things green and fresh.

The world of HIPAA is not without its Yin and Yang.  Last week we reviewed the HIPAA Yin implications of Clapper v. Amnesty International, showing its utility for defense against damages in breach cases.  Now consider the Yang: Hinchy v. Walgreens, and its use as a roadmap for the use of HIPAA as a weapon for individuals.  Allow me to expand.  The HIPAA Privacy Rule does not give individuals (you and I) the right to sue anyone for violation of our medical information privacy.  Rather, the Federal Govt. metes out fines, publicly shames, decreases reimbursement, and occasionally imprisons the guilty party(-ies).   However, as “The Pathology Blawgger” describes in a spectacular article, an enterprising attorney by the name of Neal Eggeson has been successful in using HIPAA to establish a standard of medical information privacy.   When there is deviation from this established medical information privacy standard Mr. Eggeson is able to show how individuals (e.g. his clients) are effected.

Thus, in the span of seven months, we’ve gone from use of HIPAA as a defense in the courts, to use of HIPAA as a weapon in the courts.  For every Yin a Yang.