How a HIPAA Violation Became Malpractice

5 Myths & Facts every provider needs to know

Gavel StethoscopeI used HIPAA to establish the standard of care.  Though it might seem a semantic distinction, it is actually quite important from a legal standpoint; I did not sue Walgreen for violating HIPAA, I sued Walgreen for negligence, but I used HIPAA to prove that Walgreen was negligent.  Similarly, I did not sue the pharmacist for violating HIPAA, I sued her for professional malpractice, but I used HIPAA to prove that what she did fell below the commonly-accepted standard for privacy protection.” Attorney Neal Eggeson quoted in The Healthcare Blog

A 2013 $ 1.44 million malpractice verdict should get the attention of every doctor and hospital. In a suit against Walgreen’s, attorney Neal Eggeson successfully argued that HIPAA compliance was a ‘Standard of Care’ that every health care professional should practice, and by not doing so was professional malpractice. To the surprise of many— including Walgreen’s— the jury agreed.

Myth: A patient cannot sue for a HIPAA violation.

Fact: False. While HIPAA does not include a “Right of Private Action” (the ability to sue) states give that right to their residents.

Myth: If I train my employees then I am OK.

Fact: False. Walgreen’s proved that their employee had received training, and even had signed a confidentiality agreement.

According to Walgreen’s, “The pharmacist in this case admitted she was aware of our strict privacy policy and knew she was violating it,” the company said. “We believe it is a misapplication of the law to hold an employer liable for the actions of one employee who knowingly violates company policy.” (HealthITSecurity.com)

Walgreens still lost.

Myth: HIPAA is not a Standard of Care.

Fact: False. A Standard of Care is “the level at which the average, prudent provider in a given community would practice.” (MedicineNet.com) Like wearing gloves or not sharing needles between patients. The jury in the Walgreen’s case agreed that the HIPAA violation was the underlying cause of professional malpractice.

Myth: HIPAA is not part of patient care.

Fact: False. While it may be annoying and expensive, like airport security, protecting your patient’s identity against theft is part of their care. No one wants their identity stolen- why should a doctor work hard to improve a patient’s health and then not care enough to comply with HIPAA and protect their data? HIPAA is good for patients and it is also required by law.

Myth: My malpractice insurance covers cyber liability.

Fact: Maybe. Some malpractice policies include cyber liability coverage, with limits of $ 50,000 or $ 100,000. That may sound like a lot of coverage until you look at the Walgreen’s verdict- over $ 1.4 million. Or when you look at the 2013 Cost of a Data Breach Survey that estimates the cost of a breach at $ 188 per record. For a medical practice with 20,000 medical records a breach would cost over $ 3.7 million.

At Semel Consulting our approach to HIPAA is to help you protect your patient’s privacy by guarding against identity theft, protecting your organization by reducing or eliminating risks that could result in fines or lawsuits, and by documenting your efforts so you could survive a HIPAA/Meaningful Use audit or data breach investigation.

Our HIPAA SOS (Security Officer Services) includes what you need to build a HIPAA compliance program, including policies, procedures, consulting to help you implement compliance, and ongoing assistance including incident investigations. Contact us for more information.