Lawsuit for improper access to medical records faces many challenges
In a legal action noted by several privacy-minded observers, a woman in Cabell County, West Virginia filed suit in March against health care provider Marshall Health (the collective name for a group of clinical centers affiliated with Marshall University School of Medicine) for failing to prevent unauthorized access to her daughter’s medical records by a Marshall Health employee. According to an online article published by the West Virginia Record, the plaintiff’s daughter sought medical treatment from Marshall Health, where a woman in a relationship with the girl’s father was an employee. The employee, either acting on her own or on behalf of the girl’s father, accessed the daughter’s electronic medical records on multiple occasions over a period of more than a year. The employee was not involved in the daughter’s care, so her access to the medical records was unauthorized – a fact that Marshall Health acknowledged – and therefore constituted a breach of privacy. According to the account in the WV Record, Marshall Health management only became aware of their employee’s activity after the plaintiff contacted Marshall’s CIO to express her concerns that her daughter’s records were being accessed (and potentially altered) improperly. Marshall Health apparently had no automated monitoring of employee access to records and never provided any notification about its employee’s activity during the time it allegedly occurred, although it did confirm the unauthorized access in a letter responding to the plaintiff’s concerns. She is suing for compensatory and punitive damages.
It’s not entirely clear what the legal or statutory basis for this lawsuit might be. Like most states, West Virginia has enacted laws covering the protection of consumer information, including requirements for entities holding computerized personal information when breaches of security that information occur. The applicable sections of the West Virginia code, however, define a security breach to mean unauthorized access to personal information that “has caused or will cause identity theft or other fraud” to a resident of West Virginia. The unauthorized access is not in dispute here, but the alleged harm doesn’t seem to related to identity theft or fraud. Although the facts of the case raise issues that sound relevant under the Security Rule and the Privacy Rule of the Health Information Portability and Accountability Act (HIPAA), there is no private right of action under HIPAA, so the plaintiff can’t bring suit under federal rules protecting the security and privacy of health-related personal information. It’s possible that the suit rests on a negligence claim, since the plaintiff claims that Marshall Health had a duty to protect the confidentiality of patient information and that it breached that duty when it failed to prevent unauthorized access by one of its employees to that information. The difficultly with that legal path is that, under U.S. tort law, to succeed with a claim of negligence the plaintiff must show actual damages as a direct result of the action (or inaction) that constitutes the breach of duty.
Under the HIPAA Privacy Rule covered entities like Marshall Health are required to maintain an accounting of disclosures of protected health information, but the regulations currently in force include an exception for disclosures related to treatment, payment, or health care operations. The employee implicated in this lawsuit may not have been engaged in any of those activities, but the exception for these “routine” types of disclosure often means that covered entities don’t produce detailed data access logs for their employees who have permission to access health record systems. The Health Information Technology for Economic and Clinical Health (HITECH) Act included a provision that would change accounting of disclosure rules to remove the exception for treatment, payment, and health care operations purposes, but that provision has never been implemented. As part of its consideration of that provision, the U.S. Department of Health and Human Services (HHS) actually proposed going further than the language in the law to add a requirement for covered entities to be able to provide an “access report” to individuals that would indicate who has accessed their electronic health information. The access report idea was contained in a Notice of Proposed Rulemaking published in 2011, but neither the access report nor changes to the accounting of disclosures regulation was included in the HITECH Omnibus Rule finalized in early 2013.
If the plaintiff’s allegations are true, then Marshall Health may in fact be in violation of HIPAA rules, some of which could serve to articulate the specific duty it owed to protect patient records from unauthorized access. The HIPAA Security Rule requires covered entities to “regularly review records of information system activity” including audit logs and access reports. The simple fact that Marshall Health didn’t regularly monitor employee access to its systems may not, in and of itself, be sufficient justification for a breach of duty since the regulations do not specify that “regularly” means. Because it seems that Marshall Health admits they employee’s access was unauthorized, it presumably bears some fault that the unauthorized access occurred. Without a showing of the specific harm that resulted from the unauthorized access, however, the plaintiff can not expect to prevail even if there is clear evidence that Marshall Health acted (or failed to act) in a way that it should have to prevent its employees from accessing patient data that is not explicitly needed for the performance of their job duties.