• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • location_onContact
  • (330) 673-9500

Ickes \ Holt LLC

Information Security. Corporate Law. Litigation

  • Home
  • Attorneys
    • James Ickes, Esq., HCISPP, GLEG
    • Joel A. Holt, Esq., CIPP/US
  • Practice Areas
    • INFORMATION SECURITY & PRIVACY
      • A Call to Action
      • Data Breach Lawsuits
    • MEDICAL CANNABIS
    • LITIGATION
    • CORPORATE LAW
    • TRANSACTIONAL LAW
  • Insights
  • Our Philosophy
  • Payment Portal
  • Search

Mar 30, 2016 Leave a Comment

Hungry, Hungry HIPAA

Gavel-stethoscope-e1317225014779One recent case that didn’t get much attention, but should have, clarifies Ohio health care providers’ potential exposure for the unauthorized disclosure of patient health information (“PHI”).  On August 14, 2015, the Second District Court of Appeals decided Sheldon v. Kettering Health Network. [i]   In Sheldon, the Second District addressed patients’ rights related to the unauthorized disclosure of PHI.  Although the plaintiff was ultimately unsuccessful, the court affirmatively held that the Health Information Portability and Accountability Act (“HIPAA”) does not prevent a patient for asserting a common law tort claim for unauthorized disclosure of medical information.  On February 10, 2016, the Ohio Supreme Court declined to review the correctness of the Second District’s decision.  At that point, Sheldon effectively removed more than fifteen (15) years of gray area on the matter.[ii]

Prior to Sheldon, the Ohio Supreme Court decided Biddle v. Warren Gen. Hosp.[iii]  In Biddle, the Court held that, in Ohio, a physician can be held liable under Ohio common law for unauthorized disclosures of medical information.  The cause of the “gray area” was that the Supreme Court decided Biddle before HIPAA’s privacy-rule regulations were published on December 28, 2000 and before its security-rule regulations took effect on April 21, 2003.[iv]   The Sheldon case provides considerable clarity on exactly how HIPAA and the HITECH Act coexist with Ohio common law tort claims.

One point verified by Sheldon is that, according to Ohio law,  HIPAA does not allow a private cause of action.[v]  However, the Second District then concluded that HIPAA does not preempt an Ohio state law claim for the independent tort recognized by the Ohio Supreme Court in Biddle:

“[T]he unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has learned within a physician-patient relationship.”

The Second District went on the refer to such actions as “Biddle claims.”   The Second District went a step further in addressing how the standards delineated in the HIPAA regulations interact with Biddle claims.

The Second District held that violation of HIPAA does not provide for negligence per se claims.  The Court reasoned that to allow such a claim would essentially override HIPAA’s explicit prohibition of private causes of action.[vi]   However, buried in the Sheldon decision is one sentence that should send a shiver down the spines of physicians and the attorneys who represent them:

“[T]he violation of an administrative rule does not constitute negligence per se; however such a violation may be admissible as evidence of negligence.”[vii]

Essentially, HIPAA may not allow for a private cause of action, but according to Sheldon, a health care provider’s HIPAA dirty laundry can still be heard by a jury in conjunction with a Biddle claim.

More troubling is that recent Federal case law, although only persuasive authority for Ohio state claims, will make it much easier to get these types of cases to a jury.

In  July 2015, the Federal Seventh Circuit Court of Appeals decided Remijas v. Nieman Marcus Group, LLC[viii], a case involving a massive data breach.  The Seventh Circuit overruled the trial court’s ruling in holding that “injuries [of customers] associated with resolving fraudulent charges and protecting oneself against future identity theft do” provide sufficient standing to maintain a cause of action for those affected by a data breach.[ix]  Thus, in situations where a data breach has occurred, but no actual identity theft has occurred, Remijas establishes the framework for plaintiffs’ lawyers to overcome the heretofore solid defense of lack of standing due to intangible and speculative damages.   Although no Ohio court has applied the reasoning of Remijas, there is now a viable legal argument to be made in Ohio state law negligence claims.

With the spate of data breaches in the health care industry occurring around the country (including several in the state of Ohio), HIPAA covered entities must take action to ensure that information security processes and procedures are in place. Not only because the impending threat of litigation or the fact that the Department of Heath and Human Services has announced that 200 new HIPAA audits are in the pipeline for 2016.[x]  It is simply the right thing to do.  Perhaps the Hippocratic oath, in our digital age, should extend to patients’ identity as well as their health and wellness.

ICKES \ CALHOUN \ HOLT is a full-service, team-driven, and client focused law firm in Northeast Ohio concentrating on information security and governance. Information is the DNA of modern organizations and ICKES \ CALHOUN \ HOLT is dedicated to advising clients on how to protect its information. Please contact us to discuss establishing or improving the information governance policies for your organization.

 

[i] Sheldon v. Kettering Health Network, 40 N.E.3d 661(App. 2d Dist. 2015)

[iii] Biddle v. Warren Gen. Hosp. , 86 Ohio St.3d 395, 401,1999-Ohio-115, 715 N.E.2d 518 (1999)

[iv]Sheldon at 671

[v] Id. at 670 citing Henry v. Ohio Victims of Crime Comp. Program, S.D.Ohio No. 2:07-cv-0052, 2007 WL 682427 (Feb. 28, 2007)

[vi] Id. at 674

[vii]Id. citing Chambers v. St. Mary’s School, 82 Ohio St.3d 563, 1998-Ohio-184, 697 N.E.2d 198 (1998)

[viii] Remijas v. Neiman Marcus Group, LLC, 794 F3d 688 (7th Cir. 2015)

[ix] Id.

[x] Raths, David, OCR’s Samuels Describes Launch of Phase 2 of HIPAA Audit Program, Health Care Infomatics, March 19, 2016

Categories: Consumer Privacy/Security, Cybersecurity, Data Breach, Data Security, HIPAA, Information Security, Information Security Litigation, Privacy Tags: breach, consumer information, Cybercriminals, data security, data security program, employee training, Information Security, Information Threats, Malefactor, Northeast Ohio, Patient Records, personal information, Privacy Information, qualified security professionals, security risks, security training

Reader Interactions

Leave a Comment Cancel

Primary Sidebar

Articles & News

Dec 10

Co-Parenting through Covid

Apr 09

TELEHEALTH RESTRICTIONS LIFTED

Mar 24

Guidance from HHS to First Responders Related to COVID-19

Categories

Our Reviews

Dianna Hendrickson
Dianna Hendrickson

5 out of 5 stars

posted 3 months ago

We were very happy with the service provided us. Joel was keen on details and doing things right the first time. We truly appreciated his looking out for us on what some lawyers might have passed off as an insignificant matter.

Heather Richmond
Heather Richmond

5 out of 5 stars

posted 5 months ago

I have been working with Jim Ickes at Ickes & Holt for the last three years. He has literally helped me to navigate my business legally and strategically. Even in California were I have resided I avoided going with the firms out here in Los Angeles. With Jim and his team I appreciated there midwest values and there approach to working with clients. Not only would I recommend him and his firm to everyone I work with I will continue to seek this wise counsel and the work the really do care about. I really feel he has sincerely cared about helping my business grow, Thank you Jim and Ickes and Holt!!

Danielle Kuestner
Danielle Kuestner

5 out of 5 stars

posted 1 week ago

I'm a college kid who Mr. Holt assisted. I also have a lot of anxiety and Mr. Holt helped ease the process of what I was going through legally, always reached out, and communicated with me about my case and the progress of it.

Read All 44 Reviews

Footer

Let’s Talk

Recent News

REGARDING PRIVACY OHIO SETS A HIGH BAR FOR MEDICAL MARIJUANA

Over the last few years, agencies such as the Federal Trade Commission have fostered a movement to encourage industry to implement the concept of privacy-by-design.  The idea behind privacy-by-design ... Read More

NFL and Players May Join Forces on Medical Marijuana

The National Football League generated $13 billion in revenue in 2016.[i]  The next closest professional sports league was Major League Baseball at $9.5 billion.  In comparison, the Premier League and ... Read More

Social Media

FacebookLinkedin

4301 Darrow Road, Suite 1100 | Stow, OH 44224
(330) 673-9500 p

© 2021 Ickes Holt | a full-service law firm