Questions? Call Us: 857-328-0382

Schedule a free 15 min. consult cparrella@parrellahealthlaw.com

Business Associates Beware: HIPAA Class Action Highlights Risks of Insufficient Business Associate Due Diligence

Posted on November 12, 2024 by Parrella Health Law
HIPAA Compliance application and stethoscope on a desk.

By: Christopher A. Parrella, Esq., CPC, CHC, CPCO Parrella Health Law, Boston, Ma. A Health Care Provider Defense and Compliance Firm

A recent decision in Dusterhoft v. OneTouchPoint Corp., from the Eastern District of Wisconsin, sheds light on the critical need for healthcare entities, known as HIPAA “Covered Entities,” to diligently assess and monitor their Business Associates for privacy compliance. The court’s ruling allows the putative class action to proceed, illustrating the potential liability for Covered Entities if their Business Associates fail to secure patient information.

In this case, OneTouchPoint Corp., a brand management and logistics provider for healthcare entities, experienced a breach affecting 2.6 million individuals’ data, including Social Security numbers, health insurance information, and other sensitive data. The breach impacted patients across nearly 40 health insurers and providers, sparking a class action from plaintiffs in multiple states.

Plaintiffs argued that they suffered injuries by spending time and resources to mitigate the breach’s effects. While the court dismissed the plaintiffs’ claims based solely on a reduction in the value of their information, it ruled that the time and effort spent to prevent further harm was sufficient for legal standing. Importantly, the court also allowed the negligence and negligence per se claims to advance, rejecting OneTouchPoint’s argument that HIPAA and the FTC Act do not provide a private right of action. This decision leaves open the possibility of similar claims against other Covered Entities if their Business Associates experience data breaches.

The implications are clear: Covered Entities should rigorously evaluate Business Associates’ data protection measures, consider contractual requirements for security audits, and insist on indemnification for breaches. This case serves as a crucial reminder for healthcare entities to prioritize robust due diligence to protect both their patients and themselves from costly litigation.

At Parrella Health Law, we can assist you with developing and implementing rigorous compliance programs that cover every aspect of Business Associate due diligence. Contact us at 857.328.0382 or reach out to Chris directly at cparrella@parrellahealthlaw.com to learn more.

Christopher A. Parrella, Esq., CPC, CHC, CPCO, is a leading healthcare defense and compliance attorney at Parrella Health Law in Boston. With extensive experience in healthcare law, he provides robust legal support in areas including regulatory compliance, audits, healthcare fraud defense, and reimbursement disputes. Christopher emphasizes client-centered advocacy, offering one-on-one consultations for personalized guidance. His proactive approach helps clients navigate complex healthcare regulations, ensuring compliant operations and defending against government investigations, audits, and overpayment demands.

This entry was posted in Consumer Data, Cybersecurity, HIPAA, Web Tracking Technology and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *