Let me know whether this sounds familiar. The doctor finishes work for the day. In his office, he uses some form of backup system whereby a disc or tape is created at the end of every day, and the doctor or office manager takes the backup medium home to safeguard the information in case of a fire, flood, earthquake, or other disaster. Generally speaking, it is placed in the doctor’s briefcase with his other papers of the day. When the doctor gets home, he takes his briefcase with him to review whatever he needs to that evening in preparation for the next day’s events. So far, this describes a fairly routine scenario for many of us. Now, suppose the doctor has an engagement after work; upon arriving at his destination, he places his briefcase in the trunk of his car because he does not want to check it at the restaurant he is going to. When he arrives home later that evening, he decides that it’s late, he won’t do any more work that day, he’s going to bed, and he leaves the briefcase securely locked in the trunk to be retrieved tomorrow when he gets to the office. Surprise, his car is broken into overnight, and the briefcase with its contents is stolen. His personal effects are missing, and so are his unencrypted backup discs or tapes containing hundreds (even thousands) of patient files with personal and medical information consisting of not only the patient’s clinical information but also personal information such as names, addresses, phone numbers, social security numbers, birthdates, parent’s information, and the list goes on. By this time, everyone reading this should have that sinking feeling in the pit of your stomach.
The doctor immediately contacts all patients involved, advising them of the loss of the data, profusely apologizing, although it was not his fault, and imploring them to take all necessary precautions to protect themselves from identity theft. Obviously, he will have many ticked-off patients. These are essentially the facts of Paul v Providence Health System-Oregon, 240 P.3d 1110 (Ore. Ct. App., 2010). Subsequently, a number of patients filed a class-action lawsuit against the doctor, claiming as damages that they suffered or will suffer: “financial injury in the form of past and future costs to monitor credit reports, recurring future costs to notify and re-notify credit bureaus of fraud alerts, costs of notification to the Social Security Administration, the Immigration and Naturalization Agency, the Internal Revenue Service, State and Local law enforcement agencies and possible future costs of repair of identity theft.” The plaintiffs cited ORS 192.518 and 45 C.F.R. Parts 160 and 164 as the bases for the doctor’s duty to safeguard the data (protecting it against theft and disclosure, and not having it encrypted). In addition to the acts of negligence stated above, the plaintiffs also asserted that the doctor violated the Unlawful Trade Practices Act in that he misrepresented that “all information gathered to sell its services or goods would be safeguarded and kept confidential when [he] knew that [he] lacked adequate means to safeguard such information” and also that the doctor misrepresented that “the business of sale of services and goods would include privacy and confidentiality when [he] knew that the transactions were not confidential due to [his] inadequate data protection program.” The trial court dismissed all actions because the plaintiffs had failed to state a cause of action since the claim was barred under legal precedent. This appeal ensued.
In Oregon as in all other jurisdictions, to recover in a cause of action based on negligence, the plaintiff must prove that there was a duty to conform to a standard of care, that this standard was breached by the defendant, that the plaintiff suffered “ harm to an interest of a kind that the law protects against ” (cit. omit.) (emphasis added), and that the breach of the duty must have been the direct or proximate cause of the damages or injuries sustained. The basis for this appeal was to answer the question of whether a significantly increased risk of future injury or the projected economic costs of periodic screenings of one’s credit, including the costs of repairing it if necessary, are the types of harm sufficient enough to impute liability on a defendant for negligence. In answering these questions, the court of appeals quoted case law (precedent) and stated:
Plaintiff has not alleged that her exposure to defendant’s products has resulted in any present physical effect, much less any present physical harm. Nor has she alleged that any future physical harm to her is certain to follow as a result of that exposure. Rather, she has alleged only that her exposure to defendant’s product has significantly increased the risk that she will contract lung cancer sometime in the future. . . . [T]he threat of future . . . harm that the plaintiff has alleged is not sufficient to give rise to a negligence claim. (cit. omit.)
In answering the second part of the previous question, the court, citing another case (again, legal precedent), noted that:
One ordinarily is not liable for negligently causing a stranger’s purely economic loss, but rather, liability for purely economic harm must be predicated on some duty of the negligent actor to the injured party beyond the common law duty to exercise reasonable care to prevent foreseeable harm. (cit. omit.)
The bottom line here was that the plaintiffs alleged all sorts of potential future economic losses rather than actual physical injuries to person or property. It is irrelevant that the harm is a foreseeable consequence of negligent conduct that could make someone liable to another party. For that to be the case, one must have, at its base, a distinct duty owed to that person that is outside the duty relating to claims based on common-law negligence. Such a duty arises from the relationship of the parties to one another and must comprise a heightened responsibility that encompasses protecting the economic interests of the other party. This might exist in such relationships as a principal-agent relationship, or because of the type of situation contemplated by the parties, such as when the defendant has control over the subject matter inherent in the relationship. An example might be when 1 party has placed potential financial liability in the hands of the other, or when 1 party “has a duty to administer, oversee, or otherwise take care of the affairs belonging to the other party.” The court also noted that, although the statutes cited by the plaintiff do establish rules and standards of conduct, any violations of those standards do not automatically give rise to liability based on a claim solely citing economic damages, either real or future.
The court then looked at whether the plaintiffs had stated a viable claim for negligent infliction of emotional distress. The plaintiffs argued that inherent in the doctor-patient relationship is a duty to maintain patient confidentiality. Once again, citing previously adopted case law, the court noted that:
The gravamen of the tort of breach of confidentiality, in Oregon and nationally, is the affirmative disclosure of information by a person to whom the confidential information has been entrusted. Plaintiffs identify no authority—and we have found none—that expands the tort to impose liability where the defendant has not affirmatively disclosed the ‘entrusted’ or ‘confidential’ information. (cit. omit.) (emphasis in original)
Regarding the Unlawful Trade Practices Act, the statute states that “any person who suffers any ascertainable loss of money . . . as a result of [an] . . . act or practice declared unlawful by ORS646.608 . . . may recover actual damages or $200, whichever is greater.” Subsection (1) states that “[a] person engages in unlawful practice when . . . (e) [he] represents that . . . services have . . . characteristics . . . or qualities they do not have” and (g) “represents that . . . services are of a particular standard, quality . . . or a particular style or model, if they are of another.” The plaintiffs claimed that the defendant violated these provisions because he represented that “all information gathered . . . would be safeguarded and kept confidential when [he] knew [he] lacked adequate means to safeguard such information” and, in addition, that the sale of the doctor’s services would “include privacy and confidentiality when [he] knew the transactions were not confidential due to its inadequate data protection program.”
The trial court rejected the claim because the damages claimed were not “an ascertainable loss.” The appellate court affirmed, stating that ascertainable means “capable of being discovered, observed, or established.” Although the plaintiff’s losses would eventually be ascertainable once the costs related to the credit issues were actually undertaken, the real question was whether the plaintiffs alleged any loss of money or property as stated in the statute. Normally, a loss takes the form of the difference in value between the product represented and that which was actually tendered, the difference between the advertised price and the sale price, the difference in characteristics of the property tendered vs the one advertised, and so on. In this case, however, the plaintiffs claimed a threatened loss if a credit issue or an identity-theft issue actually materialized, as well as money spent to forestall those potential losses. Finding that the potential loss of an ascertainable dollar amount was not contemplated by the statute, the court again ruled in favor of the defendant doctor.
Commentary
This is a real and scary scenario. We possess much important patient information, and I’m not even talking about a patient’s medical or dental history. When you stop to think about it, on our intake forms, we have every piece of information needed to rob someone of his or her identity. Are we obligated, and if so in what way, to safeguard that information? What is the level of care that we must take (read that as “what is our duty”) to ensure a patient’s privacy and the confidentiality of this information? Is locking our office doors sufficient? Take a good look at your office and ask yourself, “how easy would it really be to break into this place?” Okay, so you take the next step and make sure that no patient files are left out and that everything is locked inside a file cabinet (forget about open filing systems). How easy is it to pop that little button at the top of the file cabinet if someone really wants to get into it? How about taking a file home to review it? Can’t your home or car be broken into? If you take the doomsday approach, you realize that you must forget about paper files. Hold on a minute Jerrold, are you really saying that the scenarios you just posited mandate that everything must be reduced to digital format? Is this reasonable? Ah, the real question: what constitutes reasonableness?
To you newbies to our specialty who are reading this, you might be thinking that this article doesn’t apply to you, since virtually all offices that opened in the recent past keep almost all patient information in a computerized patient-management software program. But to the thousands of doctors out there who still have old patient files, even if you have changed over to digital format, in boxes in your basements, attics, garages, or storage units, what are you going to do about that? How do you go about disposing of old records? Are you adequately protecting your patients? If you say that you are merely doing what everyone else is doing, hence you are being reasonable, how do you feel about all of the physicians that you and your family members have visited over the past 10 or 20 years who have your old files stored somewhere with all of your information ready to be pilfered by someone intending to engage in fraudulent activity and commit identity theft? Do you, as the potential victim, think that what your caretakers have done is reasonable?
For right now, we can rest easy. As the court noted, the doctor did not affirmatively disclose the patient’s confidential protected health information. However, legal liability aside, responsibility for someone’s identity being stolen is not something I want to be known for around the neighborhood. There are companies out there that specialize in document destruction. There are companies out there that specialize in encoding or encrypting data. There are companies out there that specialize in storing backup data off site. I have heard the adage that, if you are on the cutting edge, you tend to have a lot of bleeding episodes. Many of us want to take a wait-and-see attitude, to see what shakes out, to let others make the mistakes that always accompany an undertaking before it is perfected. Like everything else in risk management, it comes down to a matter of individual risk tolerance. Be that as it may be, I just wonder whether this isn’t the right time for all of us to honestly and critically reevaluate how we do what we do to safeguard patient data. And once we have done that and come up with our solution to this issue, it might truly be the perfect time to apply the golden rule: do unto others as I would have them do unto me.
By the way, the American Association of Orthodontists has produced, through its legal counsel, for all of its members, a document entitled “Guide to Patient Privacy Rules.” I suggest that you contact Kathy DiPrimo at kdiprimo@aaortho.org for a copy. The following was taken from this guide as it relates to the above article. HIPAA regulations require persons and entities covered by HIPAA to assess potential risks and vulnerabilities of their computer systems, protect against threats to information security or integrity, implement and maintain security measures, and ensure compliance with these safeguards. The specific security rules can be obtained at: http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/03-3877.pdf .