In a ruling that seems to run counter to HIPAA, a California appellate court has ruled that providers aren't necessarily liable to patients when medical records are stolen or misappropriated unless they are accessed by a third party.
Patient Melinda Platter had sought damages from the University of California after a laptop was stolen in a 2011 home invasion robbery of a UCLA Health physician. The laptop was encrypted, according to federal and state requirements, but an index card containing the access password also was stolen. However, there was no evidence that the data was ever accessed.
The state's Confidentiality of Medical Information Act provides for a fine of $1,000 for each patient record breached. With 16,000 patient records on the laptop, the fine could have totaled $16 million. Instead, the appeals court ruled that the suit be dismissed.
"The decision is good news for hospitals and other healthcare providers who are victims of theft or hacking of medical information where the plaintiff cannot prove that the thief or hacker actually viewed the medical information," the California Hospital Association said in blog post.
Forty percent of large data breaches involve laptop or storage devices that are lost or stolen, according to the U.S. Department of Health & Human Services. As health data breaches proliferate, however, lawyers are changing tactics beyond trying to show that exposure of patients' personal information led to financial harm.
Downers Grove, Ill.-based Advocate Medical Group faces a class-action lawsuit by patients--in addition to state and federal investigations--after personal information for more than 4 million patients was compromised in the July theft of four computers. That lawsuit claims it failed to use encryption and other security practices.
It was the second-largest loss of unsecured health information reported to HHS since the agency made notification mandatory in 2009.
To learn more:
- read the ruling (.pdf)
- find the blog post