Dawn of digital health care: Risks & strategies for liability, coverage
New tech can give a clear picture of a patient’s health but requires health care operators to store even more personal data.
As health care continues moving in the direction of using digital information, health care organizations must evolve their practices to uphold their responsibilities to their patients and ensure compliance with laws and regulations. For the benefits of digitized health services to be realized, companies need to ensure the safety of their patients’ data. Newer health technologies will result in more information being accumulated by organizations, requiring more trust by patients.
Big data and the Internet of Things have expanded the extent to which health information is collected. Wearable technology, such as watches, bracelets, rings and phone applications, can detect a wearer’s heart rate, activity, location, blood pressure, oxygen levels, fertility and other statistics. Constant monitoring of vital statistics gives health providers a more detailed picture of their patients’ health, but also results in larger quantities of patient data in the hands of health care organizations.
The use of artificial intelligence (AI) is expanding the rate at which health care organizations are able to access health information in furtherance of providing care. AI in health care could greatly improve patient outcomes and efficiency of care, but it is entirely reliant on the availability of health data in rendering predictive models.
Telehealth, the provision of health care via electronic information and telecommunication technologies, has become more prevalent in recent years. Telehealth relies on the transmission of health information digitally, either through a webcam or uploads to a cloud space or server used by the organization, requiring a level of trust on the part of the patient that the organization will maintain the privacy and security of that information.
Because health information is predominantly stored in electronic form, it can be compromised by cybercriminals. The increased sharing of health information leads to a larger threat that the shared data will be compromised through a cyberattack. A brief overview of the legal landscape regulating health information technology can aid health organizations plan for the responsible use and storage of health information.
How HIPAA influences the situation
The Health Insurance Portability and Accountability Act (HIPAA), is the primary law in the U.S. establishing the right to privacy and security of health information. HIPAA can be divided, for purposes of simplicity, into three categories of rules, each designating a primary goal of HIPAA: privacy rule, security rule and breach notification rule.
The HIPAA privacy rule creates standards designed to protect health information. The privacy rule only applies to “protected health information,” which is information relating to an individual’s health or medical state that can reasonably be used to identify that individual. Protected health information cannot be used by entities covered by HIPAA for any reason other than the treatment-related reasons or if the individual, whose information is at issue, authorizes otherwise.
The HIPAA security rule requires organizations to conduct regular risk analyses to detect potential vulnerabilities to electronically protected health information being stored by the organization. The security rule further requires health care organizations to use access controls, allowing only necessary users to have access to protected health information.
To put individuals who have been negatively affected by a breach on alert, HIPAA provides a number of rules requiring organizations to notify different parties in the case of a breach. These provisions are in HIPAA’s breach notification rule. Any impermissible use of protected health information is presumptively a breach requiring notification unless the covered entity is able to demonstrate that there is a low likelihood that the information was compromised.
The Office of Civil Rights (“OCR”) is the agency tasked with enforcing HIPAA privacy and security rules. OCR enforces HIPAA requirements by investigating complaints, performing compliance reviews and providing covered entities with compliance guidance. There are four categories of penalties based on the level of awareness by the covered entity of the HIPAA violation. The more aware the organization was of the violation, the greater the potential penalty.
Civil liability for health information & privacy breaches
The health care industry has been the subject of more class action lawsuits regarding data breaches than any other industry in recent years. An often-used theory of liability for breaches of health information has been negligence, which can be pleaded in a variety of contexts.
A recent class action certification is a demonstrative example of negligence claims premised on health information and privacy breaches.
October 2021, a Pennsylvania court certified a class action against a university-based medical center in Wooley v. UPMC. The class action alleges the medical center was negligent in its failure to prevent a nurse-employee from filming and photographing more than 200 patients without the knowledge or consent of the patients. The patients were filmed and photographed in various forms of undress, and several of the patients were minors. It is possible that additional members of this class will be added as they are identified.
In addition to the potential jury verdict or settlement exposure this medical center is facing, it is also facing the task of complying with the HIPAA breach notification rule and determining the sufficiency of notification required to exposed patients. The health center may further face penalties from OCR upon its review of the information breach.
The Pennsylvania class action is one of the examples from recent years of large class actions waged against health organizations for health information exposure, underlying the importance of an internal health information protection program within health organizations. Such litigation in this context potentially implicates a number of insurance policy forms including cyber, professional liability and general liability. Proper notice under all potentially implicated policies is necessary to allow carriers to participate in the immediate activities and to resolve any priority and allocation considerations that may arise.
Conclusion
As the threats to health information rise, so too does the expectation that an individual’s health information will be maintained privately and securely. Understanding the risks and regulations surrounding health information, as well as the implementation of a health information privacy plan, is critical to the long-term success of a health care organization. In the event of a breach, it is important for organizations to ensure that notice is provided under any and all potentially implicated policies.
Laura J. Ruettgers is a partner and chair of the data privacy & cybersecurity practice group at Kaufman Dolowich & Voluck LLP. She represents insurance carriers in coverage disputes and litigation.
Christopher J. Tellner is a partner and co-chair of the firm’s health care/managed care practice group at Kaufman Dolowich & Voluck. He concentrates his practice in the fields of insurance coverage, professional liability, defense of general liability matters, and business litigation.
Abbye E. Alexander is a partner and co-chair of the firm’s health care/managed care practice group at Kaufman Dolowich & Voluck. She focuses her practice on issues affecting national and local businesses in various practice areas including civil litigation, torts and complex business litigation.
Henry Norwood is an attorney at Kaufman Dolowich & Voluck where he focuses his practice primarily on health care law and general liability. He is licensed to practice law in the states of Florida, Maine and Massachusetts.
Related: