Sizing Up Impact of Class Action SuitsWill Breach-Related Lawsuits Lead to a Change in Behavior?
"Class actions have really become the bogey man that's leading healthcare organizations to rethink security safeguards to stay off those front pages..." says Adam Greene, partner at Davis Wright Tremaine LLC.
Another participant in the panel discussion, privacy advocate Deven McGraw, hopes that's the case. "If, in fact, the class action suits are the bogey man that finally gets the industry to start robustly adopting encryption, at least for portable media, then there will be an important policy goal that will be achieved, albeit at a very high cost," says McGraw, director of the health privacy project at the Center for Democracy and Technology.
Class action lawsuits have been filed following a number of healthcare information breaches, including those involving the TRICARE military healthcare program, Sutter Health, Stanford Hospital and Clinics, WellPoint and Health Net.
The threat of multi-million dollar class action lawsuits might lead some organizations to think twice before notifying authorities of a breach when the risk of harm to individuals appears marginal, says Robert Belfort, partner at Manatt, Phelps & Phillips.
Belfort contends that many healthcare organizations have decided to report breaches that posed minimal risks just to be absolutely sure they're complying with the HIPAA breach notification rule. "But if it turns out to be the case that the risk of notification is a lot higher than it used to be" as a result of potential class action suits, more organizations may think twice before reporting certain breaches, he says.
"This just underscores the need for the government to issue the final rule clarifying just what is the standard for notification," McGraw says. The interim final version of the breach rule, now in effect, says organizations must report a breach if they determine it poses a significant risk of harm. But it doesn't adequately define that risk, she argues. "There's a degree of subjectivity in that decision for which there hasn't been a lot of guidance from the regulators," she adds.
The Department of Health and Human Services' Office for Civil Rights has indicated the long-delayed final version of the breach rule may be issued as soon as March (see: March Target for HIPAA Modifications).
In the panel discussion, the attorneys:
- Address why there's been an increase in class action lawsuits in recent months. For example, they point to a California statute, which enables the filing of class action lawsuits seeking damages of $1,000 per individual affected by breaches caused by negligence, even in the absence of actual harm.
- Offer predictions on whether any lawsuits will go to trial or be settled in the months ahead. Belfort stresses that the California cases, in particular, may be settled because of the lack of a requirement to prove harm.
- Forecast how the lawsuits could lead to better security strategies, especially wider use of encryption. "I see a hospital system being hard pressed to look at their neighbor getting hit with a multi-million dollar class action lawsuit and not think twice about their own security," Greene says.
Belfort, a partner at the national law firm Manatt, Phelps & Phillips LLP, specializes in advising healthcare organizations on regulatory compliance and transactional matters. Greene, a partner at Davis Wright Tremaine LLP in Washington, specializes in HIPAA and HITECH Act issues. He formerly was senior health information technology and privacy specialist at the HHS Office for Civil Rights, which enforces HIPAA. McGraw is director of the health privacy project at the Center for Democracy & Technology, a Washington-based, not-for-profit civil liberties organization. She also serves as the co-chair of the Privacy and Security Tiger Team that advises federal regulators.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.