As the health care sector moves toward wide-scale adoption of electronic medical records, the potential for personal-data breaches has significantly increased, creating a precarious legal environment for health plans and providers while class-action firms are carving out a lucrative niche in California.
In the past 18 months, health systems such as Sutter Health, Kaiser Permanente, Stanford Hospitals and Clinics, Health Net and numerous others have experienced data breaches, including St. Joseph Health, an event that affected some 10,000 patients in Sonoma and Napa counties, where it operates three hospitals.
The ramifications can be steep -- St. Joseph Health is facing multiple lawsuits, one filed in Sonoma County for $31.8 million, or $1,000 for each of the 31,800 patients affected across California. Other health systems have seen lawsuits to the tune of $500 million.
A number of factors are behind the recent spike in such lawsuits, including technological advances in health information, spurred at least in part by the Health Information Technology for Economic and Clinical Health, or Hi-Tech Act, according to Clark Stanton, a partner with Hooper, Lundy & Bookman, a firm with offices in San Francisco and Los Angeles that specializes in health care.
The act, part of the 2009 American Reinvestment and Recovery stimulus, permitted the Centers for Medicare and Medicaid Services to promote electronic medical records by way of enhanced reimbursement for providers who demonstrate so-called "meaningful use" of EMRs, or decreased reimbursement for those who don't adopt electronic records.
Additionally, federal laws -- most prominently the Health Insurance Portability and Accountability Act -- and even stricter state laws regarding notification and nominal damages, coupled with heightened security among consumers, are tilting plaintiff firms toward the class-action suits.
"It's kind of a confluence of things," Mr. Stanton said, noting that HIPAA doesn't permit private attorney lawsuits. "While HIPPA doesn't have a private right of action, California does, so you combine the fact that providers are now required to give notice to patients when there has been a data breach, and the increasing awareness of sensitivity to privacy issues. There certainly are necessary things that they need to do."
The nominal damages established under the California Confidentiality Information Act of 1981 included a $1,000 per-instance clause -- in this case per patient -- for the wrongful exposure of private data, according to Allan Jurgesen, a partner with Hanson Bridgett, which has offices in Larkspur and San Francisco.
That's helping to drive health data lawsuits because nominal damages don't require actual harm, but instead only the act of releasing any information, according to Mr. Stanton.
"The fact of the violation is what gives rise to it. (Plaintiffs' attorneys) don't have to show actual damages," he said.
Providers and health plans, accordingly, are increasingly concerned by the risk. "It is of intense interest," said Mr. Jergesen, who represents hospitals, physician groups and other providers. "They are all concerned."
The suit against St. Joseph Health, filed by San Francisco law firm Keller Grover on behalf of two locally affected patients, claims the Orange-based health system was “negligent” and that it “unlawfully failed to maintain and preserve the confidentiality” of patients. It's not the first such suit filed by Keller Grover, a consumer protection and employment law firm.
With the lucrative sums coming from the nominal damages provision, few expect the convergence of class-action firms, data breaches, and increased concern over privacy matters among consumers to slow down. Indeed, it's already one of the most complicated areas of law in health care, said Louis Richardson, executive director of the California Society of Health Care Attorneys and vice president of privacy legal publications for the California Hospital Association.
Mr. Stanton said the nominal provision element of the law was recently slightly altered to allow for the possibility of an affirmative defense for defendants, meaning providers could at least make a systematic showing of adequate protections. Still, the impetus for trial attorneys is high when it comes to data breach suits, particularly given how a seemingly infinite number of patient records can be stored on a thumb drive.
"Twenty years ago, when I was giving presentations to hospitals on medical records, I always advised them of this law, but (then) you'd have to carry a pretty big crate of records for just 10 people," Mr. Stanton said.
Mr. Jergesen agreed, but added that consumers are far less likely to tolerate even a seemingly harmless or minor breach of any information than perhaps in the past.
"Everyone is concerned about privacy in general, so everyone is really into privacy in a way they weren’t before," Mr. Jergesen said. "And it’s all because of the ease with which information flows on the internet – we’re all concerned, all that plays a role. Maybe in the past, people would have said, 'Oh well, small mistake,' whereas now I think people are more likely to be outraged and seek legal redress."
