Those involved in Protected Health Information security are going to come to know this case well if they don’t already. This US Supreme Court decision from February, 2013, at its core, declared that if damage from a breach can’t be proven, damages will not be awarded to the class action suit litigants.
Dry stuff, yes, but consider the implications in relation to HIPAA, HITECH, and the FInal Omnibus Rule.
First, given that HIPAA’s definition of breach has been modified from “Risk of Harm” to an Objective Standard of harm (including whether breached information was actually acquired or viewed), the Clapper decision backs up in the courts what has already been decided by the Final Omnibus Rule.
Second, with Safe Harbor definitions substantiating that inadvertent disclosure of Protected Health Information (PHI) to a person authorized to access PHI without further use or disclosure not permitted by the HIPAA Privacy Act does not constitute a breach, the Clapper decision again backs up in the courts what has already been clarified in the Final Omnibus Rule.
Still too dry for you? Let us link this back to the real world. Sutter Health recently experienced another breach, potentially adding to its $4.25 Billion class action suit woes from a previous breach. What does Clapper v. Amnesty International mean to them? Well, the Sutter Health legal defense team now has coverage on all fronts. They may be able to prove that no harm has come of the breach, in which case they are in much better shape on the class action suit front, and potentially on the HIPAA/HITECH front as well (of course, Safe Harbor may still not be achieved). No harm equates to loss for the class action litigants. Loss for the class action litigants may very well remove a $4.25 Billion liability for Sutter Health. You may rest assured that the Clapper decision is going to affect multiple cases in progress, and many cases to come in a similar manner.