Taking reasonable preventative care is a must as healthcare breaches grow in number.
The Anthem data breach has triggered over 90 lawsuits and scrutiny from numerous state insurance commissioners, law enforcement officials and the National Association of Insurance Commissioners. Other significant data breaches have occurred in the healthcare industry, and substantial litigation has ensued.
In the past, most data breach cases were settled or dismissed, because courts concluded that the plaintiffs’ injuries were too speculative to support a lawsuit, dismissing the cases either for failure to establish standing or to plead a legally compensable injury. However, a few courts in consumer class actions recently have concluded that the alleged injuries arising from a data breach are sufficiently certain to allow the cases to go forward, allowing plaintiffs to take discovery on how the breach occurred and what the defendant did or failed to do before the breach to prevent it. At the same time, regulators are increasing scrutiny of companies that suffer data breaches. Ultimately, the defendants in these cases and regulatory investigations will have to prove that they took reasonable steps to prevent the data breach before it occurred.
These developments point to the importance of a company conducting and documenting “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the covered entity” (“Risk Assessment”) and determining and documenting the “security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level” (“Written Information Security Plan” or “WISP”). The Risk Assessment and WISP, if properly prepared, can be a company’s strongest evidence in defending against data breach claims.
Related:Anthem hack exposes up to 80 million records
Since the Risk Assessment and WISP may become evidence in a legal proceeding, it is important to obtain legal advice in preparing these documents, as well as technical advice from an IT security expert. All emails, expert reports and drafts prepared in the process of preparing a Risk Assessment and WISP can also become evidence in a legal proceeding, so care must be taken in preparing these preliminary materials as well. Retaining legal counsel to work with the technical expert to provide legal advice regarding the company’s legal obligations may protect the confidentiality of the preliminary documents under the attorney client privilege.
In addition, legal counsel can provide input regarding frameworks of potential security controls to consider in formulating a plan. Various organizations have published standards listing potential controls, and there are pros and cons from a legal perspective to selecting each set of standards as a starting point for the analysis. It is important to select industry standards that will have credibility in a court room but, at the same time, are practical. Also, legal counsel can provide input regarding what controls have been the focus of regulatory actions and class action settlements.
Legal counsel can also help structure the process to be consistent with applicable law. For example, IT experts should be asked to identify potential security controls to be discussed with the company. The company, after receiving input from the expert and legal counsel, is responsible for deciding which controls are reasonable from a cost/benefit standpoint. Those decisions should then be implemented and documented in the WISP.
Bottom line: Since a Risk Assessment and WISP and the preliminary documents leading up to them may become evidence in a legal proceeding, legal input is critical in making sure that this evidence will support the company’s position and not be used against it.
ABOUT THE AUTHORS
Robert Kriss is a partner in Mayer Brown’s Privacy & Security group in Chicago, Illinois. James R. Woods is co-leader of Mayer Brown’s global Insurance Industry Group based in New York, New York and Palo Alto, California.
This column is written for informational purposes only and should not be construed as legal advice.
Optimize Your Healthcare Payments with Optum Financial
April 29th 2025Discover how Optum Financial is revolutionizing healthcare payments in our latest whitepaper. Learn how transitioning to electronic payments can reduce administrative costs, streamline claims processing and enhance security.
Read More
Conversations With Perry and Friends
April 14th 2025Perry Cohen, Pharm.D., a longtime member of the Managed Healthcare Executive editorial advisory board, is host of the Conversations with Perry and Friends podcast. His guest this episode is John Baackes, the former CEO of L.A. Care Health Plan.
Listen
Healthcare hasn't been a priority of the second Trump administration so far, panelists at the Asembia agreed. Medicaid may loom large, though, as the administration and congressional Republicans look for ways to slash government spending as a way of offsetting major tax cuts.
Read More
Breaking Down Health Plans, HSAs, AI With Paul Fronstin of EBRI
November 19th 2024Featured in this latest episode of Tuning In to the C-Suite podcast is Paul Fronstin, director of health benefits research at EBRI, who shed light on the evolving landscape of health benefits with editors of Managed Healthcare Executive.
Listen
What 5 Managed Care Trends Experts Say You’re Not Watching Closely Enough
April 29th 2025Managed Healthcare Executive asked several experts in healthcare and managed care to share the trends they think the industry is overlooking. From rising costs and data challenges to shifts in how care is delivered, these are the issues that could have a major impact — and deserve a closer look.
Read More