Clapper v. Amnesty International

Landmarks, Memorials, Monuments

Those involved in Protected Health Information security are going to come to know this case well if they don’t already.  This US Supreme Court decision from February, 2013, at its core, declared that if damage from a breach can’t be proven, damages will not be awarded to the class action suit litigants.

Dry stuff, yes, but consider the implications in relation to HIPAA, HITECH, and the FInal Omnibus Rule.

First, given that HIPAA’s definition of breach has been modified from “Risk of Harm” to an Objective Standard of harm (including whether breached information was actually acquired or viewed), the Clapper decision backs up in the courts what has already been decided by the Final Omnibus Rule.

Second, with Safe Harbor definitions substantiating that inadvertent disclosure of Protected Health Information (PHI) to a person authorized to access PHI without further use or disclosure not permitted by the HIPAA Privacy Act does not constitute a breach, the Clapper decision again backs up in the courts what has already been clarified in the Final Omnibus Rule.

Still too dry for you?  Let us link this back to the real world.  Sutter Health recently experienced another breach, potentially adding to its $4.25 Billion class action suit woes from a previous breach.  What does Clapper v. Amnesty International mean to them?  Well, the Sutter Health legal defense team now has coverage on all fronts.  They may be able to prove that no harm has come of the breach, in which case they are in much better shape on the class action suit front, and potentially on the HIPAA/HITECH front as well (of course, Safe Harbor may still not be achieved).  No harm equates to loss for the class action litigants.  Loss for the class action litigants may very well remove a $4.25 Billion liability for Sutter Health.  You may rest assured that the Clapper decision is going to affect multiple cases in progress, and many cases to come in a similar manner.



“I don’t know what HIPAA stands for, but I believe in it, and I practice it.”


Given that football season is upon us, it seems appropriate to kick off this entry with immortal words from an immortal NFL quarterback: Peyton Manning, circa 2011.

That quote, for you football fans, spilled forth as Mr. Manning was trying to dodge questions regarding the status of his neck…nothing like falling back on HIPAA as the reason one can’t divulge personal medical information.

As you can tell, today I’m using football as a cheap entrance to discuss HIPAA, the Final Omnibus Rule and all things related.  You likely just cringed, but please allow me to continue…there is a link here.

As in HIPAA/Final Omnibus, there are (relatively) safe areas on the football field:  On the football field, “the pocket” affords relative safety, and in HIPAA, it is falling in with Safe Harbor.

As in HIPAA/Final Omnibus, football allows for “do-overs”:  On the football field, instant replay and challenge flags equate to Affirmative Defense.

And finally, as in HIPAA/Final Omnibus, football is a stickler for rules:  On the football field, the midfield referee conference equates to the Objective Definition of Breach.

Those of you wanting to read how I made this metaphorical leap from the football field to the world of regulatory compliance can do so from our white paper (link at top of page here).

Best of luck to your team(s) this season!

Medical Identity Theft a Growing Problem

Medical Identity Theft a Growing Problem

By Emily P. Walker, Washington Correspondent, MedPageToday
Published: September 23, 2011
Click here to provide feedback
WASHINGTON — Nearly four out of ten doctors and hospitals surveyed have caught a patient trying to use someone else’s identity in order to obtain healthcare services, according to a new survey from accounting firm PricewaterhouseCoopers (PwC).

Patients seeking medical services under someone else’s name was the second most common privacy or security issue reported by healthcare providers, according toPwC’s nationwide survey of 600 executives from U.S. hospitals, doctors’ organizations, health insurance companies, pharmaceutical manufacturers, and life sciences companies.

Medical identify theft is the fastest-growing form of identity theft, affecting 1.42 million Americans in 2010 and costing more than $28 billion, the report said.

When I was practicing medicine in the ER, this was a daily occurrence.  In fact, the problem led to the formation of our company, and the launch of our service offerings when I found that the medical identity theft issue was part of a larger problem related to lack of security for Protected Health Information.