Breach-related lawsuit against Adventist Health dismissed for lack of subject matter jurisdiction

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.phiprivacy.net/?p=13060

Law360 reports that Adventist Hospital System/Sunbelt Inc. succeeded
in getting a federal court to dismiss a potential class action lawsuit
against it.  As noted previously on this blog, the lawsuit stemmed
from employees at Florida Hospital Celebration selling patient
information.  Adventist had moved to dismiss Richard Faircloth’s
lawsuit on grounds that the federal court lacked subject matter
jurisdiction because HIPAA does not provide for a private cause of
action.

In an order issued  July 3, Judge Roy B. Dalton Jr.  explains that the
breach of contract and other claims raised by Faircloth do not arise
under federal law:

These are simply state law claims for which the standard of care
involves patient privacy, which happens to be regulated by HIPAA. “The
privacy standards imposed by HIPAA are not uniquely federal and do not
raise any issue of great federal interest.” K.V. Women’s Healthcare
Network, No. 07-0228-CV-W-DW, 2007 WL 1655734, at *1 (W.D. Mo. June 6,
2007). Thus, the federal issue in this case is not substantial and
finding federal question jurisdiction would disrupt the federal-state
balance approved by Congress.

Dalton’s order was consistent with many other rulings that HIPAA does
not provide a means for plaintiffs to sue providers in the federal
courts and Faircloth’s  lawsuit was dismissed without prejudice.

According to Edmund A. Normand, one of Faircloth’s attorneys,
Faircloth has  filed suit in Orange County Circuit Court in Orlando,
Florida. In a statement to PHIprivacy.net, he notes that while there
is a clear need for uniform federal privacy protections pursuant to
HIPAA, certain federal courts see otherwise and prefer state by state
applications of privacy protections.  He writes:

“We hope that this case will provide an impetus for health care
providers to implement security standards so that when a patient is
treated at a hospital they can be sure that their private information
will remain private, free from sale to data scavengers and others who
want the data for reasons other than providing quality health care to
patients.”

A few huge penalties from HHS for failure to adequately secure patient
data wouldn’t hurt that cause, either.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss-discuss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.