Tuesday, November 24, 2020
Healthcare information breaches are on the rise-recent estimates peg the variety of affected person data breached in 2019 as exceeding 41 million people. Moreover, roughly 60% of all healthcare information breaches are attributable to inside actors—a statistic underscored by consecutive information breach class actions filed in opposition to the Mayo Clinic regarding the unauthorized entry of affected person data.
In October, Mayo Clinic disclosed that {that a} former worker had inappropriately accessed the well being data of greater than 1,600 sufferers. Info that will have been accessed within the breach reportedly included title, demographic data, date of beginning, medical report quantity, scientific notes and medical pictures (together with, as alleged within the litigation, nude pictures of sufferers taken in reference to ongoing most cancers therapies).
This month, following disclosure of the breach, Mayo Clinic was hit with two information privateness class motion lawsuits in Minnesota state courts. See Bloxton-Kippola, et al. v. Mayo Clinic, et al., Case No. 55-cv-20-6188 (Minn. Dist. Ct.) and Ryabchuk v. Mayo Clinic, et al., Case No. 55-cv-20-6445 (Minn. Dist. Ct.). Amongst different issues, the litigations allege that Mayo Clinic did not “put into place methods or procedures to make sure that Plaintiffs’ and equally located people’ well being data can be protected and wouldn’t be topic to unauthorized entry.” The Plaintiffs assert claims in opposition to Mayo Clinic below the Minnesota Well being Information Act (“MHRA”) and for frequent regulation privateness torts.
First, some background for the uninitiated. The federal well being privateness statute, Well being Insurance coverage Portability and Accountability Act (“HIPAA”), supplies for the disclosure of protected well being data (“PHI”) within the absence of consent below a variety of circumstances. This consists of, however will not be restricted to, for therapy, cost and healthcare operations (collectively, “TPO”) in addition to for different functions (analysis, public well being actions, and many others.). Importantly, sufferers wouldn’t have a proper to sue their well being care supplier below HIPAA for failing to observe HIPAA rules (there is no such thing as a non-public proper of motion).
Nonetheless, HIPAA units solely minimal requirements that should be adopted when affected person information is anxious. It doesn’t preempt states from passing extra stringent healthcare privateness legal guidelines—as Minnesota has finished with the MHRA. The MHRA protects the info contained in medical data of particular person sufferers collected by healthcare suppliers and applies to all Minnesota-licensed physicians. Suppliers that violate the MHRA are topic to recourse from their licensing board. In contrast to HIPAA, sufferers can also sue suppliers for violating the MHRA.
Related for functions of the Mayo Clinic litigations, along with the necessities below the HIPAA Privateness Rule, the MHRA prohibits a supplier from releasing a affected person’s well being data to any individual with out:
(1) a signed and dated consent from the affected person or the affected person’s legally approved consultant authorizing the discharge;
(2) particular authorization in regulation; or
(3) a illustration from a supplier that holds a signed and dated consent from the affected person authorizing the discharge.
Plaintiffs within the two litigations assert that they’re “sufferers” as outlined below the MHRA and Mayo Clinic is a “supplier”. In addition they allege {that a} former worker of the Mayo Clinic accessed their “well being data” within the absence of their consent, in contravention of the MHRA’s necessities. Moreover pleading a depend below the MHRA, Plaintiffs convey frequent regulation tort claims for invasion of privateness, negligent infliction of emotional misery, and for vicarious legal responsibility. Plaintiffs search financial damages along with another aid the courtroom deems simply and equitable.
Because the variety of information breaches continues to rise, so too will the variety of information breach litigations. CPW will there to cowl these developments as they happen. Keep tuned.
© Copyright 2020 Squire Patton Boggs (US) LLPNationwide Legislation Assessment, Quantity X, Quantity 329