Remember the $20 Million class action law suit against Stanford due to the posting of an Excel file online by a Business Associate? The law suit, driven by California state privacy laws recently settled for $4 Million, with the Business Associate paying the bulk of the settlement. The class action suit, one of five large Stanford related large HIPAA breaches, stems from a 2010 disclosure of emergency room patient data affecting 20,000 patients. The majority of the settlement fund, $3.3 million will come from Stanford’s business associate. Stanford is contributing $500,000 for a vendor education fund and is paying $250,000 in settlement administrative costs. Though a significant reduction from the $20 Million original claim, the $4 Million settlement price tag is not a drop in the bucket.
The major lesson to glean from this case is that covered entities should better investigate their vendors before transmitting PHI. Meaning not just simply executing a Business Associate Agreement with an indemnification and insurance provision (though advisable), but also reviewing/evaluating their current security policies, staff training, use of subcontractors, and encryption standards. For more information about HIPAA please contact Elana Zana.