- A Wisconsin-based publishing company recently filed a lawsuit claiming that it is being exposed to potential liability for unauthorized exposure of individuals’ personal health data. The concern over possible health information exposure violations stem from the company receiving faxes containing medical information.
Moose Moss Press states in an affidavit published by Courthouse News that it began receiving faxes intended for Envision RX, a national pharmacy benefit management company, in August or September 2015.
Moose Moss’ owner deleted the faxes at first, and then began to work with an Envision RX representative. However, the faxes did not stop being sent to Moose Moss, which is when the publishing firm saved the faxes and created a log as evidence.
“At no time did Moose Moss Press LLC solicit the personal medical information of Envision RX clients,” the affidavit reads. “In fact, at no point in time, previous to the deluge of medical information, has Moose Moss Press LLC ever transacted business, or engaged in communications with Envision RX.”
The lawsuit adds that Moose Moss entered into lengthy negotiations with Envision in an effort to sell its fax number. However, a formal agreement was never reached, and Envision “opted out of any continued negotiations.”
“Each new fax containing personal health information from an Envision RX customer, Moose Moss Press incurs substantial liability for the unauthorized disclosure of personal information,” the lawsuit explains.
Moose Moss is also seeking a preliminary and permanent injunction, in addition to at least $500,000 in damages for claims of negligence and private nuisance.
While it is concerning that medical information was repeatedly sent to an unauthorized third-party, it is important to note that the publishing firm is not listed as a HIPAA covered entity or business associate.
The HIPAA Privacy Rule specifically applies to health plans, healthcare clearinghouses, and healthcare providers that conduct certain healthcare transactions electronically.
Business associates are also liable to HIPAA rules and regulations, and function or conduct “activities on behalf of a covered entity including claims processing, data analysis, utilization review, and billing.”
“Persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all,” HHS states on its website.
There are also three exceptions to the HHS definition of a PHI data breach. First, if a “workforce member or person acting under the authority of a covered entity or business associate” unintentionally accesses or acquires PHI “in good faith and within the scope of authority,” then it is not considered a HIPAA breach.
The second exception applies when PHI is inadvertently disclosed “by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates."
In either of these cases, if a HIPAA covered entity had an authorized individual inadvertently disclosed information to another authorized individual or entity, an exception may apply. However, Moose Moss is not described as being either a covered entity or business associate.
The final exception to a PHI data breach is that if the covered entity or business associate “has a good faith belief” that the unauthorized party that received the PHI would not have been able to retain the data, it is not considered a HIPAA data breach.
While Moose Moss did not want to continue to receive medical information, and reportedly attempted to have the data stop being sent to its location, it is unlikely that OCR would seek damages from the firm.
Overall, this case should be a lesson to covered entities and business associates that current and comprehensive business associate agreements are in place. Furthermore, healthcare organizations that fall under HIPAA regulations need to ensure that they are continuously working to keep their PHI security programs up to date.