Potential liability severe for allowing identity theft

Risk managers should be highly motivated to protect patient information that could lead to identity theft, says Leila Narvid, JD, an attorney with Sideman & Bancroft in San Francisco. The potential liability is huge.

Laws and liability will vary according to your state, but California, for instance, has enacted a security breach notification law that imposes responsibilities on the part of health care entities beyond those established by the Health Insurance Portability and Accountability Act (HIPAA). Narvid explains that the California Security Breach Information Act, codified as California Civil Code Sec. 1798.82 et seq., requires that businesses and organizations that conduct business in the state or own information about California residents must inform their consumers when an unauthorized person obtains access to personal information, such as Social Security numbers, driver's license numbers, and financial information. The law's disclosure requirements are triggered when "unencrypted personal information was or is reasonably believed to be acquired by an unauthorized person."

In California, a health care organization failing to promptly notify the patient victim whose personal information has been accessed by an unauthorized person is liable for statutory damages and equitable relief, Narvid says. "In addition, the health care organization may be vulnerable to a common-law action for negligence per se, meaning the health care organization could be found to be intrinsically negligent," she adds.

Narvid notes that the HIPAA rule for security breaches is more abstract. The security rule is, in practice, an outline for security planning and implementation, rather than a precisely defined set of rules (unlike the California Security Breach Information Act). The general requirement of the security rule is that health care organizations that "collect, maintain, use or transmit protected health information in electronic form" must construct "reasonable and appropriate administrative, physical and technical safeguards" that ensure the confidentiality of health care information. Such measures must provide protection against "any reasonably anticipated threats or hazards."

"The risk is great and warrants a thorough effort to protect confidential patient information," she says. [Editor's note: For more advice on liability from identity theft, contact Leila Narvid, JD, Sideman & Bancroft, One Embarcadero Center, Eighth Floor, San Francisco, CA 94111. Telephone: (415) 392-1960. E-mail: lnarvid@sideman.com.]