Community Health Systems (CHS) was issued a $4,500,000 HIPAA fine for a reported 2014 data breach. It looks like the data breach resulted from malware which was installed by Chinese hackers on CHS’s computer system. This incident exposed approximately 4.5 million patients’ names, dates of birth, addresses, telephone numbers, and social security numbers.
But that was just the beginning of the monetary penalties that CHS was about to face.
Since then, numerous lawsuits related to these HIPAA violation cases have been filed by patients in the aftermath of the breach. Patients affected by the breach are seeking compensation for the theft of their protected health information (PHI).
Now, a class action suit has been filed against CHS. The settlement is still being reviewed by a Judge overseeing the case, however the suit is seeking two potential monetary awards for patients affected by the breach. Individuals who can prove that they acquired out-of-pocket expenses as a result of the breach and/or can show evidence that time was lost securing their accounts, can claim up to $250. Other individuals who suffered identity theft or fraud can receive up to $5,000.
HIPAA Violations Lead to HIPAA Lawsuits
The case against CHS demonstrates, more than anything, that the risks associated with HIPAA violations don’t end with an OCR investigation. These days, it’s becoming common for a HIPAA violation caused by a large-scale data breach to result in subsequent civil suits and attorney general suits.
Though it is not possible for a patient to sue for a HIPAA violation since there is no private cause of action in HIPAA, patients can take legal action against healthcare providers and obtain damages for violations of state laws. That’s why the consequences of a data breach can be so severe.
More states have been allowing patients to file lawsuits against a HIPAA covered entity if they have neglected their due diligence to comply with the HIPAA Security and Privacy Rule. Patients will be required to prove that damage or harm has been caused due to negligence or theft of unsecured health information.
Patients who are considering taking legal action against a covered entity should be clear about their aims and what they are hoping to accomplish. An alternate solution to filing a lawsuit is filing a HIPAA complaint with HHS OCR.
Filing a HIPAA Complaint
Patients who have experienced or witnessed a violation of the HIPAA Rules by a covered entity or business associate may file a complaint with the Office of Civil Rights (OCR). OCR will review the details of the complaint and ultimately choose whether or not to initiate an investigation. In the event that OCR launches an investigation, corrective or retributive action may be taken against the offending organization if in fact the HIPAA rules have been violated. The important distinction to remember is that a data breach may cause OCR to investigate a healthcare organization, but the fines will only be levied if OCR uncovers negligence on the part of the organization in question.
Under state laws, filing a complaint with HHS OCR should be the first step before legal action is taken against the covered entity. Complaints must be submitted within 180 a patient’s discovery that the HIPAA rules have been violated. Complaints may also be filed with state attorneys general who are also authorized to pursue cases against HIPAA-covered entities for HIPAA violations.
Several factors will determine the actions taken against the covered entity, including the nature of the violation, the severity of the violation, the number of individuals impacted, and whether there have been repeat violations of HIPAA Rules.
OCR has the authority to issue penalties for HIPAA violations to those organizations that have failed to comply with HIPAA Rules. Many complaints can be resolved through voluntary compliance if an organization agrees to implement corrective actions to resolve these HIPAA violations. One way to avoid future complaints is by adopting an effective compliance program as mandated by the HIPAA Rules.
The Department of Health and Human Services Office of Inspector General (OIG) created The Seven Fundamental Elements of an Effective Compliance Program, which represents the minimum necessary requirements that all healthcare providers must have in place to address the HIPAA Privacy and Security Rules.
Protecting Against HIPAA Lawsuits
The best way to defend against HIPAA lawsuits is to prevent HIPAA violations from happening in the first place.
At Compliancy Group, we give health care professionals everything they need to create an effective compliance program. The Guard is our HIPAA compliance web-app that allows users to satisfy their full requirements under the law.
Users are paired with one of our expert Compliance Coaches to guide them through each step of their regulatory requirements. We give health care professionals peace of mind and help avoid HIPAA lawsuits and expensive fines. Find out how Compliancy Group can help make you confident in your compliance today, so you can get back to running your business.