Fox Rothschild partner Scott Vernick recently appeared as a guest on the Willis Report to discuss the fallout of the hacking of Sony Pictures Entertainment. Click here to view the segment. Celebrities’ individually identifiable health information, some of which appears to be protected health information (“PHI”) under HIPAA, was among the sensitive personal data hacked into. According to one report, a file was accessed that contains a list of the highest-cost patients covered by Sony Pictures’ health plan.
As a covered entity, a health plan (and/or its business associate) that suffers a breach of plan members’ PHI may find itself subject to civil monetary penalties imposed by the Secretary of the Department of Health and Human Services (“HHS”) that can be substantial, particularly if HHS determines the HIPAA violation was due to willful neglect and was not corrected during the 30-day period beginning on the first date the health plan (or its business associate, if the business associate is liable) knew or, by exercising reasonable diligence, would have known that the violation occurred.
Penalties under these circumstances are to be at least $50,000 for each violation, up to $1,500,000 for identical violations in a single calendar year. Penalties of up to $50,000 for each violation and up to $1,500,000 for identical violations in a year can even be imposed when the health plan (or business associate) did not know, and by exercising reasonable diligence, would not have known that it had violated HIPAA. 45 CFR 160.404.
The Secretary of HHS will consider aggravating factors in determining the amount of the penalty, including whether the HIPAA violation resulted in harm to an individual’s reputation. 45 CFR 160.408.
Although HIPAA may seem the least of Sony Pictures’ concerns right now, as discussed in previous posts (here and here) regarding the recent Byrne v. Avery Center for Obstetrics and Gynecology, P.C. case, HIPAA “may well inform the applicable standard of care” in negligence actions brought under state law.