An Illinois court recently granted a motion to dismiss a class-action lawsuit that resulted from a Health Information Portability and Accountability Act (HIPAA) breach of protected health information (PHI). The court ruled that plaintiffs cannot claim injuries based merely on potential losses. The breach by Advocate Health and Hospitals Corp. in Downers Grove, Ill., occurred in August 2013. Because there is no private cause of action under HIPAA, the only course of action for the plaintiffs were state laws—in this case the Illinois Personal Information Protection Act and the Illinois Consumer Fraud Act and invasion of privacy. The Case The breach was one of the largest at that time and involved the theft of four unencrypted laptop computers from an Advocate medical group building that included the PHI of over 4 million patients. Advocate faced fines and sanctions under HIPAA and the class-action suit served to complicate their problem even more. Eventually, Advocate filed a motion to dismiss the lawsuit, saying that the plaintiffs had no standing and had not made a specific claim. Advocate’s motion was granted because the plaintiffs could not prove that the PHI had been viewed or used in any harmful way, therefore there was no […]
An Illinois court recently granted a motion to dismiss a class-action lawsuit that resulted from a Health Information Portability and Accountability Act (HIPAA) breach of protected health information (PHI). The court ruled that plaintiffs cannot claim injuries based merely on potential losses.
The breach by Advocate Health and Hospitals Corp. in Downers Grove, Ill., occurred in August 2013. Because there is no private cause of action under HIPAA, the only course of action for the plaintiffs were state laws—in this case the Illinois Personal Information Protection Act and the Illinois Consumer Fraud Act and invasion of privacy.
The Case
The breach was one of the largest at that time and involved the theft of four unencrypted laptop computers from an Advocate medical group building that included the PHI of over 4 million patients. Advocate faced fines and sanctions under HIPAA and the class-action suit served to complicate their problem even more. Eventually, Advocate filed a motion to dismiss the lawsuit, saying that the plaintiffs had no standing and had not made a specific claim.
Advocate’s motion was granted because the plaintiffs could not prove that the PHI had been viewed or used in any harmful way, therefore there was no proof of identity theft. The court ultimately agreed with Advocate’s argument and dismissed the suit with prejudice.
Lessons for Laboratory Privacy and Compliance Officers
Compliance breaches can happen to anyone and there have been several that are specific to laboratories, such as the case reported elsewhere in this issue. Even though this case is not lab specific, it does raise awareness of the multiple legal risks that can result from a single breach.
Takeaway: Compliance threats from HIPAA breaches have grown in frequency and variety, which highlights the need for labs and other providers to ensure that all PHI is protected and secured.