November 14th, 2014.
An article by David Harlow on his blog entitled, HIPAA: Liability to Private Parties for Violations discussed how last week
Connecticut joined at least nine other states (DE, KY, ME, MN, MO, NC, TN, UT, WV in recognizing that, while HIPAA does not create a private right of action for violation of privacy, it does constitute a standard against which the actions of a defendant in such a case will be judged. In other words, if a covered entity or business associate or downstream contractor releases PHI other than in accordance with HIPAA (i.e., for treatment, payment or health care operations purposes, or to or at the direction of the data subject or his or her legal representative), the breach of the HIPAA rule may be the basis for a finding of a breach of a duty of care in a state court negligence action.
“Of course..we have long advised primary care ( covered entities) and business associates that the potential liabilities and damages of non HIPAA compliance exceeds solely HHS-OCR audit failure penalties (which are potentially significant ..may I add). It is possible in the context of a breach that a case could be made potentially for operational neglect. ” as per Al Rozell from InfoTech Innovators. Mr Rozell goes on to add “HIPAA compliance is a way of conducting business and is not a single point in time attestation that just exists on a dusty report. The policies, procedures, practices, safeguards and monitoring must happening day in and day out. To us, that is the operational burden of proof. Now, if a practice or BA has not conducted a HIPAA Security Risk Assessment, they are not even at the starting gate. An EHR is not a silver bullet that can holistically or magically make a practice HIPAA compliant… audits, assessments, other safeguards, policies, procedures and practices are part of the picture too.“
