As a health information management company and a business associate of many healthcare facilities, we understand the potential fines from the Office for Civil Rights surrounding breaches and the precautions that must be taken in order to keep breaches and fines away from companies like ours. However, as time progresses, so are the rulings. The potential fines for breaches are not just limited to OCR HIPAA violations. Recently, the Federal Trade Commission has begun invoking the False Claims Act against healthcare providers and business associates that claim on their business websites and other media outlets that their patient data is safe, but then they are subject to a data breach.
The False Claims Act
This has been a controversial issue throughout the healthcare field, as many involved have expressed their disapproval of the False Claims Act. Many feel that the government is trying to "double dip" with fining healthcare facilities and business associates of healthcare facilities, arguing that the Federal Trade Commission does not have anything to do with healthcare services. Regardless, the False Claims Act is actively being implemented. An example of the False Claims Act in action can be found in a recent 2013 case involving LabMD of Atlanta. A year after the breach occurred, LabMD was shut down by the FTC after a breach was linked to inadequate security in one of their BA's file sharing systems.
The Rise of Civil Lawsuits
Another growing trend is the increased number of civil lawsuits for HIPAA violations. When the Office for Civil Rights hands out penalties and fines for violations, the patients involved typically never see any money from the suit. All the money collected from the fines handed out goes right back into the OCR to allow it to grow and conduct more audits. Despite all this, the HITECH Act has given state attorney generals permission to file civil suits on behalf of patients to cover damages done related to the breach or violations.
Business associates are responsible for roughly 58% of patient data breaches. We must all work extremely hard to make sure we do not become part of a negative statistic. As a business associate to healthcare facilities, proving the utmost security and maintaining a great relationship with all of our partners is key. Keep all this in mind, so your business isn't next on the HHS's HIPAA "Wall of Shame".
- Stuart Mobley, Director of Quality and Compliance