Nearly three months after Richard Faircloth filed a class action lawsuit against Adventist Health System/Sunbelt, Inc. for violating the privacy rights of other patients at the Florida hospital, a federal judge has dismissed the case. U.S. District Judge Roy B. Dalton Jr. maintained that the HIPAA violations that Faircloth cited weren’t enough to be placed in front of him in a state court, according to mainjustice.com.
More than 740,000 patients’ data had been compromised and Adventist Health employees reportedly sold that data to outside individuals. Faircloth argued that though HIPAA doesn’t allow private patients to sue healthcare organizations, a federal judge should determine whether Adventist was in the wrong because HIPAA’s privacy language dictates how Florida state laws are interpreted. “These are simply state law claims for which the standard of care involves patient privacy, which happens to be regulated by HIPAA,” Dalton said in his dismissal order, according to PHIPrivacy.net. “The privacy standards imposed by HIPAA are not uniquely federal and do not raise any issue of great federal interest.”
In failing to safeguard protected health information (PHI), Faircloth sued Adventist for breach of contract, breach of implied contract, breach of implied covenant of good faith and fair dealing, unjust enrichment and breach of fiduciary duty. Adventist Health argued in response that the suit shouldn’t have gone to federal court and filed for dismissal on May 2.
Edmund A. Normand, one of Faircloth’s attorneys, made this statement to PHIPrivacy.net:
“We hope that this case will provide an impetus for health care providers to implement security standards so that when a patient is treated at a hospital they can be sure that their private information will remain private, free from sale to data scavengers and others who want the data for reasons other than providing quality health care to patients.”
Though this case didn’t hold up in federal court, it remains interesting because this lack of patient data protection had been going on at Adventist for more than two years before coming to an end. We know that Adventist advises its organizations to perform risk assessments. In fact, Sharon Finney, Corporate Data Security Officer at Adventist told an audience at the HIMSS Privacy and Security Forum last December that she advises organization to do them continually. So it’s reasonable to assume with the proper risk assessment, Adventist wouldn’t be dealing with this breach in the first place.