chevron-down Created with Sketch Beta.


Healthcare Litigation Concerns for Business Litigation Lawyers

David Jonathan Cross and T L Summerville

Healthcare Litigation Concerns for Business Litigation Lawyers
The Good Brigade via Getty Images

For some, the subject of healthcare litigation may conjure medical malpractice or other actions involving the provision of medical care. The healthcare industry is far more complex, of course, and healthcare litigation can encompass a wide range of legal areas, including fraud, contract claims, employment discrimination, and violations of various state and federal statutes. Indeed, many issues that arise in healthcare matters are familiar and recognizable from other areas of business or commercial litigation. But given the unique nature of the medical provider-patient relationship, the confidential nature of patient information, and state and federal regulatory schemes, healthcare litigation often involves issues that require input from litigators who are well-versed in healthcare law and business disputes. HIPAA compliance is an area where counsel might be engaged to advise healthcare entities in order to avoid protracted administrative litigation or enforcement actions.

HIPAA violations occur when there is “a failure to comply with any aspect of HIPAA standards and provisions detailed in 45 CFR Parts 160, 162, and 164.” Violations include the unauthorized disclosures of protected health information (PHI), breaches of patient confidentiality, failure to conduct risk analysis, and more. A client’s failure to adhere to HIPAA’s rules and regulations can lead to serious legal or remedial enforcement actions that include significant civil penalties. While HIPAA does not provide for a private right of action, the U.S. Office of Health and Human Services Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, which apply to both healthcare providers and health plans (covered entities) and their business associates. Business associates and subcontractors are areas of special concern.

Under HIPAA, a business associate is a person or entity, other than a covered entity, that handles PHI. Business associates are subject to the same rules designed to protect PHI that covered entities must follow. If the OCR receives a report or complaint that a business associate has violated a HIPAA provision, an enforcement action in the form of an investigation or audit may follow. That investigation could, in turn, result in a variety of other actions, ranging from voluntary corrective actions to the imposition of civil and even criminal penalties that may even spill over to covered entities. Attorneys assisting covered entities can help their clients avoid becoming involved in enforcement actions pertaining to their business associates in a number of ways. Some of these actions include the following:

  1. Adopt written policies, called “security rules,” and ensure business associates and subcontractors comply with them.
  2. Put in place procedures to ensure immediate responses to reported HIPAA violations or breaches.
  3. Timely report security incidents and breaches and ensure that business associates self-report HIPAA breaches.
  4. Maintain required documentation, as well as records identifying employees and others who may handle PHI.
  5. Become knowledgeable about other federal or state policy laws that might be more stringent than HIPAA.

Consequences for HIPAA violations can be severe, and a covered entity’s compliance obligations extend to its business associates and subcontractors. Healthcare counsel should be well versed in HIPAA compliance in order to avoid potentially expensive and burdensome interaction with state and federal regulators who enforce the HIPAA Privacy and Security Rules. In the event a breach is reported or suspected, the measures described above, and others, will assist lawyers with investigating the cause and defending the client in the event enforcement action is commenced.