LITIGATION AND LEGISLATION

Safeguarding protected health information

Laurance JerroldJacksonville, Fla

Let me knowwhether this sounds familiar. The doc-tor finishes work for the day. In his office, he usessome form of backup system whereby a disc or

tape is created at the end of every day, and the doctoror office manager takes the backup medium home tosafeguard the information in case of a fire, flood, earth-quake, or other disaster. Generally speaking, it is placedin the doctor’s briefcase with his other papers of the day.When the doctor gets home, he takes his briefcase withhim to review whatever he needs to that evening in prep-aration for the next day’s events. So far, this describesa fairly routine scenario for many of us. Now, supposethe doctor has an engagement after work; upon arrivingat his destination, he places his briefcase in the trunk ofhis car because he does not want to check it at the res-taurant he is going to. When he arrives home later thatevening, he decides that it’s late, he won’t do anymore work that day, he’s going to bed, and he leavesthe briefcase securely locked in the trunk to be retrievedtomorrow when he gets to the office. Surprise, his car isbroken into overnight, and the briefcase with its con-tents is stolen. His personal effects are missing, and soare his unencrypted backup discs or tapes containinghundreds (even thousands) of patient files with personaland medical information consisting of not only the pa-tient’s clinical information but also personal informationsuch as names, addresses, phone numbers, social secu-rity numbers, birthdates, parent’s information, and thelist goes on. By this time, everyone reading this shouldhave that sinking feeling in the pit of your stomach.

The doctor immediately contacts all patients in-volved, advising them of the loss of the data, profuselyapologizing, although it was not his fault, and imploringthem to take all necessary precautions to protect them-selves from identity theft. Obviously, he will have manyticked-off patients. These are essentially the facts ofPaul v Providence Health System-Oregon, 240 P.3d1110 (Ore. Ct. App., 2010). Subsequently, a number ofpatients filed a class-action lawsuit against the doctor,

President, Orthodontic Consulting Group, LLC, Jacksonville, Fla.Am J Orthod Dentofacial Orthop 2011;140:133-50889-5406/$36.00Copyright � 2011 by the American Association of Orthodontists.doi:10.1016/j.ajodo.2011.03.017

claiming as damages that they suffered or will suffer: “fi-nancial injury in the form of past and future costs tomonitor credit reports, recurring future costs to notifyand re-notify credit bureaus of fraud alerts, costs of no-tification to the Social Security Administration, theImmigration and Naturalization Agency, the InternalRevenue Service, State and Local law enforcementagencies and possible future costs of repair of identitytheft.” The plaintiffs cited ORS 192.518 and 45 C.F.R.Parts 160 and 164 as the bases for the doctor’s duty tosafeguard the data (protecting it against theft and dis-closure, and not having it encrypted). In addition tothe acts of negligence stated above, the plaintiffs alsoasserted that the doctor violated the Unlawful TradePractices Act in that he misrepresented that “all informa-tion gathered to sell its services or goods would be safe-guarded and kept confidential when [he] knew that [he]lacked adequate means to safeguard such information”and also that the doctor misrepresented that “the busi-ness of sale of services and goods would include privacyand confidentiality when [he] knew that the transactionswere not confidential due to [his] inadequate data pro-tection program.” The trial court dismissed all actionsbecause the plaintiffs had failed to state a cause of ac-tion since the claim was barred under legal precedent.This appeal ensued.

In Oregon as in all other jurisdictions, to recover ina cause of action based on negligence, the plaintiffmust prove that there was a duty to conform to a stan-dard of care, that this standard was breached by the de-fendant, that the plaintiff suffered “harm to an interestof a kind that the law protects against” (cit. omit.) (em-phasis added), and that the breach of the duty must havebeen the direct or proximate cause of the damages or in-juries sustained. The basis for this appeal was to answerthe question of whether a significantly increased risk offuture injury or the projected economic costs of periodicscreenings of one’s credit, including the costs of repair-ing it if necessary, are the types of harm sufficientenough to impute liability on a defendant for negli-gence. In answering these questions, the court of ap-peals quoted case law (precedent) and stated:

Plaintiff has not alleged that her exposure to defen-dant’s products has resulted in any present physical

133

134 Litigation and legislation

Jul

effect, much less any present physical harm. Nor hasshe alleged that any future physical harm to her is cer-tain to follow as a result of that exposure. Rather, shehas alleged only that her exposure to defendant’sproduct has significantly increased the risk thatshe will contract lung cancer sometime in the future.. . . [T]he threat of future . . . harm that the plaintiffhas alleged is not sufficient to give rise to a negligenceclaim. (cit. omit.)

In answering the second part of the previous question,the court, citing another case (again, legal precedent),noted that:

One ordinarily is not liable for negligently causinga stranger’s purely economic loss, but rather, liabilityfor purely economic harm must be predicated onsome duty of the negligent actor to the injured partybeyond the common law duty to exercise reasonablecare to prevent foreseeable harm. (cit. omit.)

The bottom line here was that the plaintiffs allegedall sorts of potential future economic losses ratherthan actual physical injuries to person or property. It isirrelevant that the harm is a foreseeable consequenceof negligent conduct that could make someone liableto another party. For that to be the case, one musthave, at its base, a distinct duty owed to that personthat is outside the duty relating to claims based oncommon-law negligence. Such a duty arises from the re-lationship of the parties to one another and must com-prise a heightened responsibility that encompassesprotecting the economic interests of the other party.This might exist in such relationships as a principal-agent relationship, or because of the type of situationcontemplated by the parties, such as when the defendanthas control over the subject matter inherent in the rela-tionship. An example might be when 1 party has placedpotential financial liability in the hands of the other, orwhen 1 party “has a duty to administer, oversee, or oth-erwise take care of the affairs belonging to the otherparty.” The court also noted that, although the statutescited by the plaintiff do establish rules and standards ofconduct, any violations of those standards do not auto-matically give rise to liability based on a claim solely cit-ing economic damages, either real or future.

The court then looked at whether the plaintiffs hadstated a viable claim for negligent infliction of emotionaldistress. The plaintiffs argued that inherent in thedoctor-patient relationship is a duty to maintain patientconfidentiality. Once again, citing previously adoptedcase law, the court noted that:

The gravamen of the tort of breach of confidentiality,in Oregon and nationally, is the affirmative disclosureof information by a person to whom the confidential

y 2011 � Vol 140 � Issue 1 American Jo

information has been entrusted. Plaintiffs identifyno authority—and we have found none—that expandsthe tort to impose liability where the defendant hasnot affirmatively disclosed the ‘entrusted’ or ‘confi-dential’ information. (cit. omit.) (emphasis in original)

Regarding the Unlawful Trade Practices Act, the stat-ute states that “any person who suffers any ascertainableloss of money . . . as a result of [an] . . . act or practicedeclared unlawful by ORS646.608 . . . may recover actualdamages or $200, whichever is greater.” Subsection (1)states that “[a] person engages in unlawful practicewhen . . . (e) [he] represents that . . . services have . . .characteristics . . . or qualities they do not have” and(g) “represents that . . . services are of a particular stan-dard, quality . . . or a particular style or model, if they areof another.” The plaintiffs claimed that the defendant vi-olated these provisions because he represented that “allinformation gathered . . . would be safeguarded and keptconfidential when [he] knew [he] lacked adequate meansto safeguard such information” and, in addition, that thesale of the doctor’s services would “include privacy andconfidentiality when [he] knew the transactions werenot confidential due to its inadequate data protectionprogram.”

The trial court rejected the claim because the dam-ages claimed were not “an ascertainable loss.” The ap-pellate court affirmed, stating that ascertainable means“capable of being discovered, observed, or established.”Although the plaintiff’s losses would eventually be as-certainable once the costs related to the credit issueswere actually undertaken, the real question was whetherthe plaintiffs alleged any loss of money or property asstated in the statute. Normally, a loss takes the form ofthe difference in value between the product representedand that which was actually tendered, the difference be-tween the advertised price and the sale price, the differ-ence in characteristics of the property tendered vs theone advertised, and so on. In this case, however, theplaintiffs claimed a threatened loss if a credit issue oran identity-theft issue actually materialized, as well asmoney spent to forestall those potential losses. Findingthat the potential loss of an ascertainable dollar amountwas not contemplated by the statute, the court againruled in favor of the defendant doctor.

COMMENTARY

This is a real and scary scenario. We possess much im-portant patient information, and I’m not even talkingabout a patient’s medical or dental history. When youstop to think about it, on our intake forms, we have everypiece of information needed to rob someone of his or heridentity. Are we obligated, and if so in what way, to

urnal of Orthodontics and Dentofacial Orthopedics

Litigation and legislation 135

safeguard that information? What is the level of carethat we must take (read that as “what is our duty”) to en-sure a patient’s privacy and the confidentiality of this in-formation? Is locking our office doors sufficient? Takea good look at your office and ask yourself, “how easywould it really be to break into this place?” Okay, soyou take the next step andmake sure that no patient filesare left out and that everything is locked inside a file cab-inet (forget about open filing systems). How easy is it topop that little button at the top of the file cabinet ifsomeone really wants to get into it? How about takinga file home to review it? Can’t your home or car be bro-ken into? If you take the doomsday approach, you real-ize that you must forget about paper files. Hold ona minute Jerrold, are you really saying that the scenariosyou just posited mandate that everything must be re-duced to digital format? Is this reasonable? Ah, thereal question: what constitutes reasonableness?

To you newbies to our specialty who are reading this,you might be thinking that this article doesn’t apply toyou, since virtually all offices that opened in the recentpast keep almost all patient information in a computerizedpatient-management software program. But to the thou-sands of doctors out there who still have old patient files,even if you have changed over to digital format, in boxesin your basements, attics, garages, or storage units, whatare you going to do about that? How do you go aboutdisposing of old records? Are you adequately protectingyour patients? If you say that you are merely doingwhat everyone else is doing, hence you are being reason-able, how do you feel about all of the physicians that youand your family members have visited over the past 10 or20 years who have your old files stored somewhere withall of your information ready to be pilfered by someoneintending to engage in fraudulent activity and commitidentity theft? Do you, as the potential victim, thinkthat what your caretakers have done is reasonable?

American Journal of Orthodontics and Dentofacial Orthoped

For right now, we can rest easy. As the court noted,the doctor did not affirmatively disclose the patient’sconfidential protected health information. However, le-gal liability aside, responsibility for someone’s identitybeing stolen is not something I want to be known foraround the neighborhood. There are companies outthere that specialize in document destruction. Thereare companies out there that specialize in encoding orencrypting data. There are companies out there that spe-cialize in storing backup data off site. I have heard theadage that, if you are on the cutting edge, you tend tohave a lot of bleeding episodes. Many of us want totake a wait-and-see attitude, to see what shakes out,to let others make the mistakes that always accompanyan undertaking before it is perfected. Like everythingelse in risk management, it comes down to a matter ofindividual risk tolerance. Be that as it may be, I just won-der whether this isn’t the right time for all of us to hon-estly and critically reevaluate how we do what we do tosafeguard patient data. And once we have done that andcome up with our solution to this issue, it might truly bethe perfect time to apply the golden rule: do unto othersas I would have them do unto me.

By the way, the American Association of Orthodon-tists has produced, through its legal counsel, for all ofits members, a document entitled “Guide to Patient Pri-vacy Rules.” I suggest that you contact Kathy DiPrimo atkdiprimo@aaortho.org for a copy. The following wastaken from this guide as it relates to the above article.HIPAA regulations require persons and entities coveredby HIPAA to assess potential risks and vulnerabilities oftheir computer systems, protect against threats to infor-mation security or integrity, implement and maintainsecurity measures, and ensure compliance with thesesafeguards. The specific security rules can be obtainedat: http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/03-3877.pdf.

ics July 2011 � Vol 140 � Issue 1