Federal Court Finds Breach of Health Insurance Portability and Accountability Act (HIPAA) Business Associate Agreement Resulting from Identity Theft
A federal court decision from Florida illustrates the contractual remedy a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) has when the entity’s business associate breaches the parties’ business associate agreement (BAA) regarding protected health information (PHI).
At the heart of the dispute in Managed Care Solutions, Inc. v. Community Health Systems, Inc., No. 10-60170-CIV (S.D. Fla. June 20, 2013) was a BAA addendum to a professional services agreement between a billing company, Managed Care Solutions (MCS), and a hospital system, Community Health Systems (CHS). The BAA prohibited MCS, as a business associate of CHS, from using or disclosing PHI from CHS for any other purpose than that allowed by the BAA or HIPAA regulations. The BAA further provided that upon CHS’s knowledge of a “material breach” of the BAA by MCS, CHS could allow MCS to cure the breach or could immediately terminate the BAA and underlying agreement. Following the arrest of an individual whom MCS hired through a temporary placement agency to work at a CHS hospital, CHS terminated the underlying agreement, citing the employee’s “identity theft” of PHI. MCS in turn sued for breach of contract.
On a motion for summary judgment, the court ruled in CHS’s favor, holding that MCS “provided no plausible alternative theory to the CHS’ contention that [the employee] violated the HIPAA Addendum thereby allowing CHS to terminate its contract with MCS.” The court noted that the evidence established that the employee, who had an “extensive history of theft by deception,” improperly obtained PHI in violation of the BAA—specifically, credit card and social security numbers that corresponded with those in patient records dated during the employee’s tenure at the CHS hospital. The court further observed that CHS knew of the employee’s actions, evidenced by its statement in its termination letter to MCS that it had learned from the police that the employee “wrongly and without authorization” acquired PHI to obtain patients’ credit cards to make purchases. Finally, the court concluded that the employee’s removal of the information was a clear breach of the BAA, which “violated the essential trust patients place in their healthcare providers and healthcare providers place in the companies with which they contract to aid in the provision of healthcare,” and therefore CHS properly terminated the underlying agreement.
The court’s decision arrives amid recent regulatory developments that impose increased compliance requirements on business associates and BAAs. Among the requirements of a final rule released by the U.S. Department of Health and Human Services this past January, a business associate may incur direct liability for using or disclosing PHI in a manner that exceeds what is allowed by the applicable BAA or HIPAA regulations, as occurred in Managed Care Solutions. Covered entities and their business associates have until September 23, 2013 to comply with most of the provisions of the final rule.