As the health care sector moves toward wide-scale adoption of electronic medical records, the potential for personal-data breaches has significantly increased, creating a precarious legal environment for health plans and providers while class-action firms are carving out a lucrative niche in California.
In the past 18 months, health systems such as Sutter Health, Kaiser Permanente, Stanford Hospitals and Clinics, Health Net and numerous others have experienced data breaches, including St. Joseph Health, an event that affected some 10,000 patients in Sonoma and Napa counties, where it operates three hospitals.
The ramifications can be steep -- St. Joseph Health is facing multiple lawsuits, one filed in Sonoma County for $31.8 million, or $1,000 for each of the 31,800 patients affected across California. Other health systems have seen lawsuits to the tune of $500 million.
A number of factors are behind the recent spike in such lawsuits, including technological advances in health information, spurred at least in part by the Health Information Technology for Economic and Clinical Health, or Hi-Tech Act, according to Clark Stanton, a partner with Hooper, Lundy & Bookman, a firm with offices in San Francisco and Los Angeles that specializes in health care.
The act, part of the 2009 American Reinvestment and Recovery stimulus, permitted the Centers for Medicare and Medicaid Services to promote electronic medical records by way of enhanced reimbursement for providers who demonstrate so-called "meaningful use" of EMRs, or decreased reimbursement for those who don't adopt electronic records.
Additionally, federal laws -- most prominently the Health Insurance Portability and Accountability Act -- and even stricter state laws regarding notification and nominal damages, coupled with heightened security among consumers, are tilting plaintiff firms toward the class-action suits.
"It's kind of a confluence of things," Mr. Stanton said, noting that HIPAA doesn't permit private attorney lawsuits. "While HIPPA doesn't have a private right of action, California does, so you combine the fact that providers are now required to give notice to patients when there has been a data breach, and the increasing awareness of sensitivity to privacy issues. There certainly are necessary things that they need to do."
The nominal damages established under the California Confidentiality Information Act of 1981 included a $1,000 per-instance clause -- in this case per patient -- for the wrongful exposure of private data, according to Allan Jurgesen, a partner with Hanson Bridgett, which has offices in Larkspur and San Francisco.
That's helping to drive health data lawsuits because nominal damages don't require actual harm, but instead only the act of releasing any information, according to Mr. Stanton.
"The fact of the violation is what gives rise to it. (Plaintiffs' attorneys) don't have to show actual damages," he said.
Providers and health plans, accordingly, are increasingly concerned by the risk. "It is of intense interest," said Mr. Jergesen, who represents hospitals, physician groups and other providers. "They are all concerned."
The suit against St. Joseph Health, filed by San Francisco law firm Keller Grover on behalf of two locally affected patients, claims the Orange-based health system was “negligent” and that it “unlawfully failed to maintain and preserve the confidentiality” of patients. It's not the first such suit filed by Keller Grover, a consumer protection and employment law firm.
With the lucrative sums coming from the nominal damages provision, few expect the convergence of class-action firms, data breaches, and increased concern over privacy matters among consumers to slow down. Indeed, it's already one of the most complicated areas of law in health care, said Louis Richardson, executive director of the California Society of Health Care Attorneys and vice president of privacy legal publications for the California Hospital Association.