- A HIPAA data breach case that stemmed from a business associate disclosing PHI will not be dismissed, according to a US District Court decision.
CVS Pharmacy, Inc. and Caremark Rx LLC (CVS) sought reimbursement from its business associate, Press America, Inc., following a 2012 PHI data breach.
CVS was responsible for providing beneficiaries of IBM’s health plan with mail order pharmacy services, court documents explained. Press America was in charge of mailing the information and incorrectly addressed mail containing beneficiaries’ PHI, which disclosed the data of 41individuals.
CVS credited IBM $1,845,000 and then sought reimbursement from Press America, which the business associate denied. Press America then moved to dismiss the case, saying it was not obligated to pay. The Southern District of New York court dismissed the motion for denial in January 2018.
New York state law requires that negligence claims must establish “the existence of a duty on defendant’s part as to plaintiff,” and a breach of that duty took place. A negligence claim must also establish "injury to the plaintiff as a result thereof,” the Court explained.
“CVS alleges that ‘Press America owed CVS a duty of reasonable care in a manner consistent with the knowledge and ability possessed by such a vendor,’” the case stated. “Second, CVS alleges that ‘Press America breached its duty of reasonable care to CVS by, among other things, negligently disclosing PHI.’”
“Third, CVS alleges that it was damaged by Press America’s negligence because among other things, it was required to pay IBM, conduct an ‘exhaustive investigation’ into the extent of the disclosures, ‘assess the extent of various HIPAA compliance issues,’ and notify the affected customers,” the court continued.
Press America did not demonstrate that CVS failed to plausibly plead negligence, the decision read. The business associate also made the premature argument “that the payment provision in the IBM Contract was not the proximate cause of CVS’s damages.”
CVS and Press America had two written agreements together before the data breach took place. First, the two organizations entered into a Master Service Agreement and Statement of Work, where Press America said it would provide printing and mailing services to CVS. A second Statement of Work specifically outlined the printing services that would be required of Press America.
There was also a business associate agreement (BAA), where “Press America agreed not to use or disclose PHI except as specifically permitted by contract.”
The Court explained that the contracts also contained indemnity provisions. For example, the BAA established that CVS would be indemnified and held harmless “arising out of or in connection with any breach of the terms of this Agreement, any Breach of Private Information under the control of [Press America] or its agents or subcontractors that requires notification under the HIPAA Rules or state law, or any failure to perform its obligations with respect to Private Information by [Press America], it[s] officers, employees, agents, or any person or entity under [Press America’s] direction or control.”
CVS also had agreements with IBM, including one that required CVS to comply with “performance standards.” One of these standards explained that CVS must pay a fee in the event of a “Protection of Information Failure,” which included PHI disclosures.
“On December 31, 2012, CVS credited IBM $1,845,000—calculated as three percent of the annual fee amount at risk for the performance guarantees ($45,000), multiplied by the total number of disclosures,” the Court wrote. “Thereafter, CVS sought reimbursement from Press America. Despite CVS’s demands, however, Press America refused to pay.”
Press America claimed that there was no factual material presented in the Amended Complaint that showed what contract existed between CVS and IBM on the date of the data breach. However, the Court determined that the Amended Complaint “plausibly pleads that the IBM Contract existed and was in effect at the time of the disclosures.”
The language used in the Master Agreement and BAA were broad enough to capture CVS’s payment to IBM, the Court added.
“There is no express exclusion in either of these provisions for contractual obligations that may be triggered by Press America’s negligence,” the decision read. “In the absence of such an exclusion, the language of the contract encompasses the payments to IBM triggered by Press America’s negligent acts.”
Citing a previous case, the Court also said reviewing “potential causes and determining which parties are liable is a task for a jury.”
“The enforceability of the IBM Contract’s payment provision may ultimately impact the Court’s evaluation of whether CVS is entitled to indemnification,” the Court wrote. “For example, Press America may argue that it was not within the intendment of the parties for it to be liable for reimbursement of an unenforceable penalty. But an evaluation of that argument is different from a direct attack on the enforceability of the provision, which Press America launches here, and the Court rejects.”
While the CVS and Press America case is yet to be final, it is a strong example of why BAAs are so critical for healthcare organizations.
The HIPAA Omnibus Rule determined that business associates can now be held liable to similar repercussions as covered entities should PHI become compromised.
Covered entities “are not required to monitor or oversee the means by which their business associates carry out privacy safeguards or the extent to which the business associate abides by the privacy requirements of the contract,” HHS states on its website, adding that covered entities are not responsible or liable for their business associates’ actions.
“If a covered entity finds out about a material breach or violation of the contract by the business associate, it must take reasonable steps to cure the breach or end the violation, and, if unsuccessful, terminate the contract with the business associate,” HHS explains. “If termination is not feasible (e.g., where there are no other viable business alternatives for the covered entity), the covered entity must report the problem to the Department of Health and Human Services Office for Civil Rights.”
Covered entities must create and enforce applicable BAAs for comprehensive PHI security. Having responsibilities for both parties described in writing will be beneficial in the event of a data breach to help determine appropriate steps in remedying the situation.