Quest, Labcorp Breach Highlights Limits of HIPAA's Vendor Oversight
HIPAA lays out the responsibilities that both covered entities and vendors have in the event of a data breach, but service agreements can still play a vital role in determining where critical—and costly—responsibilities fall.
June 11, 2019 at 12:15 PM
3 minute read
Earlier this week, both Quest Diagnostics and LabCorp revealed that they were among the entities whose customers had their data compromised as part of a larger cyber breach that befell the billing and collections service American Medical Collection Agency (AMCA). Such data included customer's birth dates, addresses, phone numbers, date of service, and health provider and balance information.
In a news release, Quest indicated that the AMCA systems impacted by the breach contained information on approximately 11.9 million of their patients. Meanwhile, LabCorp filed a report with the Securities and Exchange Commission indicating that data from approximately 7.7 million of its customers was breached.
So what happens next? To be sure, the Health Insurance Portability and Accountability Act (HIPAA) regulates the healthcare industry's use of identifying information like patient names, date of birth, phone numbers and provider names. Still, when and where HIPAA comes into play when breaches happen at third parties isn't always so cut and dry.
“The ambiguity or the key kind of analysis is understanding the relationship and exactly what the vendor is doing for the covered entity,” said Ryan Blaney, chair of the privacy and data security practice at Cozen O'Connor.
Covered entities such as a hospital or lab could potentially maintain contracts with dozens of vendors or business associates, but HIPAA was not created with trash collectors in mind. The parameters of the act only encompass service providers who are performing a function that the covered entity is required to do under HIPAA, such as debt collection.
Iliana Peters, a shareholder at Polsinelli, said that at the end of the day, business associates that fall under the umbrella of HIPAA are liable if they disclose information in a way that is not allowed by the act's privacy rule, which requires appropriate safeguards to protect personal health information in addition to setting limits on uses and disclosures. They also have the responsibility of alerting the covered entities to the breach.
“Also if there's some kind of security safeguard that was implicated like they didn't patch their software [or] they didn't have malware protection, then the business associate would be liable,” said Peters.
Covered entities aren't entirely off the hook either, though. Stephanie Trunk, a partner at Arent Fox, pointed out that covered entities are still responsible for reporting and mitigating breaches even if they do occur at or because of a business associate.
“As these latest breaches illustrate, it's critical that covered entities review business associate HIPAA policies and practices, including technology solutions, to prevent breaches and unauthorized access by third parties,” Trunk said.
Still, the individual business associate agreements that exist between a covered entity and its vendor can throw some curveballs into the process. While HIPAA may designate covered entities responsible for notifying consumers impacted by a breach, it's not uncommon for such entities to negotiate provisions into their service agreements that would pass the baton back to the vendors.
“Just like contracts, there's leverage, and depending on the party you can require some additional things and you can specify—and hopefully you do specify—who's going to provide the notification because that can be costly,” Blaney said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1The State of Cost Recovery — Post COVID
- 2Why Is It Becoming More Difficult for Businesses to Mandate Arbitration of Employment Disputes?
- 3The Whys and Hows of a Mediator’s Proposal
- 4Litigators of the Week: A Trade Secret Win at the ITC for Viking Over Promising Potential Liver Drug
- 5Litigator of the Week Runners-Up and Shout-Outs
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
