New Law Provides Affirmative Defense to HIPAA Liability in Data Breaches
In the age of electronic health records, online patient portals, and rapidly expanding telemedicine, there is an ever growing amount of personal and medical information available to be illegally accessed by wrongdoers with keyboards. As a result, federal and state governments and agencies have taken the “stick” approach by penalizing those who fail to protect their data, such as the $16 million payment Anthem made to the federal government in August for a breach that exposed the personal information of nearly 79 million people, and by recognizing a private cause of action for individuals to sue companies who violate HIPAA standards (see our previous article here).
In contrast, Ohio has recently taken the “carrot” approach by passing the Cybersecurity Safe Harbor Act (“Cyber Act”) that takes a new angle on the data breach issue by incentivizing companies to develop data security plans by offering legal protection rather than by fear of penalty. In the first law of its kind, the Cyber Act allows companies to use an affirmative defense against tort claims resulting from a data breach if an adequate cyber-protection program was in place at the time of the breach.
However, for a company to use the safe harbor, its cyber-protection protocol must meet the criteria set forth by the Cyber Act. Specifically, healthcare companies and practices must meet sector-specific laws and standards such as HIPAA and HITECH both in the written plan protocol, and its implementation. Additionally, the Cyber Act is not one size fits all as each security plan must be tailored in complexity and scope based on certain factors such as structure of the company, sensitivity of information, cost effectiveness of security improvements, and availability of tools.
While this law is specific to Ohio, it may be a sign of laws to come nationwide that would further encourage healthcare companies to protect themselves from suit by implementing strengthened data protection plans. Further, it indicates that HIPAA continues to be the standard on which healthcare companies need to base their compliance programs, regardless of whether HIPAA specifically applies to them. As such, we continue to recommend that all healthcare companies and medical practices protect themselves by preparing and enacting a HIPAA compliant data protection plan, or having their current plan audited for sufficiency.
For more information regarding the Cyber Act, please see Mayer Brown’s article here.
If you have questions regarding HIPAA compliance or data protection plans, please contact Robert J. Fisher at firstname.lastname@example.org.