By: Stephen Siegel
A recent decision by the United States Court of Appeals, Eleventh Circuit (which includes Florida), underscores the importance of both covered entities and business associates adopting electronic security measures that are consistent with the guidance provided by HIPAA_HITECH.
HIPAA provides protection from the unauthorized disclosure or use of an individual patient’s protected health information. The federal government and the state attorney generals have the power to prosecute violations of HIPAA. However, Congress did not provide a similar right (a “private right of action”) to individuals who may be harmed by an unauthorized disclosure of their PHI. The Eleventh Circuit’s decision suggests that injured individuals may be able to obtain relief from HIPAA-HITECH related injuries under state law.
In December 2009, two laptop computers were stolen from AvMed, Inc., a Florida health maintenance organization. These laptops contained the unencrypted Social Security numbers, names, addresses, phone numbers and other PHI of approximately 1.2 million current and former AvMed enrollees. Unfortunately, individuals involved in an identity theft scheme obtained this information. Allegedly, some of the AvMed enrollees had their identities stolen. According to one Plaintiff, information obtained from the stolen AvMed computers was used to open a bank account, activate credit cards that were then used to make unauthorized purchases and change their personal address with the U.S. Postal Service. Another Plaintiff alleged their information was used to open an account with an on-line brokerage firm, which was subsequently overdrawn.