Groups to pay $4M for privacy offense

Stanford hit with class action lawsuit over state law, not HIPAA

It's not only federal HIPAA privacy and security violations that may end up costing industry groups a pretty penny. There's also state privacy laws to heed. 
 
Case in point: Stanford Medicine, which as a group has already reported five big HIPAA breaches in the last three years, together with its business associate may now be required to hand over a $4.1 million class action settlement after violating California's medical privacy law. 
 
The settlement, which was given approval last week by Los Angeles County Superior Court Judge Elihu Berle, stems from a 2010 incident when Stanford Hospital and Clinics notified nearly 20,000 of its patients that their protected health information had been wrongfully posted to a student website. The information, which included medical diagnoses and patient names, stayed posted on the public website for almost one year. 
 
[See also: Group slapped with $6.8M HIPAA fine.]
 
One of those patients, Shana Springer, filed a $20 million class action lawsuit against Stanford and its partly-responsible business associate Multi-Specialty Collection Services back in September 2011 for violating California's Confidentiality of Medical Information Act. 
 
According to SHC officials, the vendor will be paying the lion's share of the settlement, more $3.3 million of the total $4.1 million. SHC will pay $500,000 for a vendor education fund and is also covering some $250,000 in settlement administrative costs. 
 
"It should be no surprise that when patients are treated at Stanford's facilities, they expect that their private medical information will be kept confidential and will not be disclosed to anyone without their authorization," read the original complaint. "Indeed, California law requires that medical providers maintain their patients' medical information confidential and prohibits the disclosure of such information without the patient's written authorization."
 
When Stanford Hospital and Clinics notified patients, it claimed it had sent Multi-Specialty Collections services encrypted patient information for "permissible business purposes," making the company "responsible by law and contract for protecting all patient information provided to it for its services."
 
[See also: IRS faces class action lawsuit over theft of 60 million medical records.]
 
"Our contractors are explicitly required to commit to strong safeguards to protect the confidentiality of our patients' information," said then Chief Privacy Officer Diana Meyer, in a September 2011 press release. "We have worked extremely hard to identify all the parties responsible. No hospital staff member was involved in posting the file to the website. We will continue to take aggressive action to hold all responsible parties accountable."
 
However, this was far from Stanford Medicine's -- which comprises Stanford Hospital and Clinics, Lucile Packard Children's Hospital and Stanford School of Medicine -- first medical privacy offense. On the contrary.
 
Since 2010, they have reported five large HIPAA breaches, compromising the protected health information of more than 92,000 patients. 
 
Four of the breaches involved the theft of unencrypted company laptops. 
 
To date, nearly 30 million individuals have had their PHI compromised in a HIPAA privacy or security breach, according to data from the Department of Health and Human Services.
 
Theft currently accounts for the lion’s share of HIPAA privacy and security breaches, as HHS' Office for Civil Rights Deputy Director for health information privacy Susan McAndrew pointed out at HIMSS14, representing some 48 percent of all breaches reported.   
 
[See also: Stanford reports fifth big HIPAA breach.]
 
"Pay attention to encryption," said McAndrew, particularly for any devices that can leave the office. "We're interested in protecting the data. You may be interested in protecting the property. We want to turn this into property losses as opposed to data losses."
 
HIPAA-covered entities and, now, business associates, have handed over some $18.6 million to settle alleged federal HIPAA violations, with $3.7 million of that just from last year. And this isn't counting the state and private legal settlements.