Determining Liability for a Data Breach
Government regulatory bodies, the Department of Health and Human Services’ Office for Civil Rights (OCR) in particular, investigate security breaches that expose Protected Health Information (PHI) and they will determine who has liability for a data breach.
If infringements of HIPAA Rules are discovered, or if a HIPAA-Covered Entity (CE) is found to have blatantly disregarded data security and privacy laws, the organization in question will receive an action plan to correct all violations. The OCR is also likely to issue a financial penalty and civil claims for damages are also likely to follow: Class action data breach lawsuits are all but guaranteed to be filed if PHI is exposed.
In many cases – such as when a CE fails to encrypt data stored on portable storage devices that are lost or stolen, or when paper files are dumped without first rendering the data unreadable – liability for a data breach is easy to determine.
However, other cases are not so clear cut, especially when Business Associates (vendors and contractors whose products or staff require access to PHI) are involved. It is possible for liability for a data breach to be shared between a Business Associate (BA) and a CE.
A CE must adopt the minimum standards for data security as demanded by the Health Insurance Portability and Accountability Act (HIPAA), but that CE is also responsible for any BA it employs. Any vendor, such as a provider of cloud services, must also adopt the same minimum standards as demanded by HIPAA. It is the responsibility of the CE to make sure this is the case.
Since the introduction of the HIPAA Omnibus Rule, any BA found to have violated HIPAA Rules can be punished directly, but this does not put the CE in the clear, as a number of organizations have discovered in recent months.
Liability for a Data Breach May be Shared by a CE and a BA
Business Associates have caused a number of healthcare data breaches in recent months; commonly as a result of a failure to understand HIPAA Rules covering data security; or for a failure to implement robust physical, administrative, and technical controls to safeguard PHI.
The OCR will ask questions of a CE after a data breach to determine what role, if any, it had in the breach. If, for example, the CE failed to obtained a signed Business Associate Agreement (BAA) with the BA in question, in which the responsibility of that BA is outlined, then liability for a data breach may not lie with the BA at all, but solely with the CE.
One of the most recent examples, although there have been many, comes from Oregon Health & Science University. A University faculty member recently discovered that trainee physicians and other healthcare professionals had started using Google Drive as a way of sharing information with each other; information that included PHI.
Physicians would upload data for other staff members to access; individuals who were authorized to view that information. As a result workflows were improved, so was efficiency, and all staff members could be quickly and easily kept up to data with important information.
Unfortunately, as the University knew all too well, under HIPAA Rules, PHI must be protected at all times and must not be disclosed to a Business Associate without a BAA being in place. While Google Drive did satisfy a number of security requirements, the data was not kept private from Google itself. Worse still, under the terms of service, any data uploaded to Google Drive could be used by the search engine giant to promote or improve its services. This would be an invasion of patients’ privacy and a violation of HIPAA.
In this case, liability for the data breach may not lie with the Business Associate. Google fulfilled its requirements as a service provider, but not as a healthcare Business Associate. However, since the company was not asked to, and no BAA was signed, it would not be liable for a HIPAA breach.
In this case, OHSU violated HIPAA Rules – albeit inadvertently and without its knowledge – but it would still be likely to be found liable for the HIPAA breach.
Had a BAA been obtained and signed, in which the responsibilities of the BA were outlined, the BA would be liable for the data breach. The CE would likely escape a penalty.