Supreme Court to Hear Arguments on Suit for Damages under the Privacy Act

The Supreme Court is scheduled to hear oral arguments tomorrow, November 30, in a suit for damages under the Privacy Act stemming from a wrongful disclosure of confidential information.  Federal Aviation Administration v. Cooper involves a plaintiff whose HIV information was wrongfully disclosed by federal agencies.  The suit seeks to establish that mental or emotional injuries qualify as "actual damages" for purposes of the civil remedies provision of the Privacy Act, 5 U.S.C. § 552a(g)(4)(A).  The Privacy Act regulations the collection, maintenance, use and disclosure of individuals' information collected by federal agencies.  

A private aircraft pilot since 1964, the plaintiff, Stanmore Cooper, was diagnosed with HIV in 1985. Although required to disclose the illness and any medications being taken on his "airman medical certificate," a continuing certification requirement required by the FAA for any pilot to legally operate an aircraft, Cooper chose to let his certificate lapse because he would not be permitted to fly if he disclosed his illness.  In 1994, he again submitted the application, choosing not disclose his HIV status.  For ten years, he continued to renew the application, intentionally omitting his HIV status. 

However, Cooper's information was exchanged between the Social Security Administration (SSA) and the FAA as a result of a collaboration between agencies that sought to uncover illicit efforts by pilots to obtain FAA licenses although medically "unfit." This exchange occurred without his authorization.  Cooper had provided information regarding his HIV status to the SSA in his application for long-term disability benefits.   Cooper was eventually indited on three counts of submitting false statements to the government and lost his pilot's license.

Cooper sued in 2007 alleging that the federal government had "willfully and intentionally" violated the Privacy Act and caused him “to suffer humiliation, embarrassment, mental anguish, fear of social ostracism, and other severe emotional distress.”  The Southern District of California, where the plaintiff's case was originally brought, admitted that the federal government had violated the Privacy Act, but found that regardless, Cooper had not demonstrated the "actual damages" required by the Act.  The Ninth Circuit on appeal reversed, finding mental or emotional distress was sufficient, "given the nature of the injuries that most frequently flow from privacy violations...."

The Supreme Court accepted the government's petition for certiorari in June of 2011. A key issue expected to be tackled by the Supreme Court, according to the prestigious ScotusBlog, is whether the Privacy Act was intended to broadly protect privacy rights against the government's more limited interpretation, an important step for understanding the nature of privacy injuries and privacy law generally.

If the Supreme Court sides with the government, this would not only limit damages to pecuniary ones, but potentially also deter whistleblowers as well as potentially have a negative impact on privacy law in general.  A decision will not be made until spring of next year. For a more in-depth explanation of the issues involved and an overview of tomorrow's Oral Arguments, visit ScotusBlog, or generally,      

HIPAA Audits Begin November 2011, How Can Covered Entities and Business Associates Prepare?

The United States Department of Health and Human Services (HHS) has announced that it will begin HIPAA audits of covered entities and business associates this November 2011, and its contracted auditor, KPMG, is required to audit up to 150 entities by the end of 2012!  HHS’s website provides detailed information regarding when the audits will begin, who may be audited, how the audit program will work, what the general timeline will be for an audit, and, generally, what will happen after an audit is completed. In addition, HHS's sample Audit Letter indicates that KPMG will focus on discovering vulnerabilities in privacy and security compliance programs, and that certain “information” and “documents” will be requested in connection with the audit. However, no additional details are given regarding what covered entities and business associates may be asked to produce. 

Presumably, KPMG will not be letting the HIPAA audit cat out of the bag too soon by telling organizations exactly what information and documents they may ask for in connection with such audits, especially where one of their objectives is to identify gaps in HIPAA compliance. Nevertheless, covered entities and business associates may gain valuable insight into what to expect by looking to past guidance regarding HIPAA audits issued by HSS’s Office of e-Health Standards and Services (the “HIPAA Audit Checklist”), as well as by reviewing HIPAA audits and investigations that have taken place over the last few years. 

In its formerly-released HIPAA Audit Checklist, the Office of e-Health lists out the types of personnel that may be interviewed, and the the types of policies, procedures and other documentation and evidence that may be requested.  In addition, the audit of Atlanta, Georgia’s Piedmont Hospital is informative. In February of 2007, HHS through the Office of Inspector General conducted a random HIPAA audit of Piedmont hospital.  The letter to Piedmont’s CIO announced that the focus of the audit would be on the organization’s compliance with the Security Rule and indicated that the audit would begin with an “entrance conference” 10 days after Piedmont’s receipt of the audit letter from the Regional Inspector General for Audit Services (note that the proposed timeframe for coming KPMG audits is 30-90 calendar days from the date on the applicable HHS Audit Letter).  The Piedmont audit letter also included an enclosure asking for a list of documents and information to be provided, which overlapped significantly with the Office of e-Health’s HIPAA Audit Checklist!   

Covered entities and business associates may also glean additional insight from what HHS/OCR has asked for in connection with complaint-driven HIPAA investigations. HHS/OCR has posted on its website several Resolution Agreements with covered entities who have been through a HIPAA investigation.  These agreements also contain hints as to what covered entities and business associates may be asked for during a HIPAA Audit.

Until news of organizations starting to receive HIPAA audit letters starts to trickle out and KPMG begins its work, it is not possible to know exactly what KPMG will ask for and focus on.  Nevertheless, covered entities and business associates should not sit back and take a “wait and see” approach.  Rather, organizations should prepare now by completing an internal review of their HIPAA compliance program to ensure that their policies are current and are being followed by their workforce, and all other required HIPAA documentation is in place and ready to be produced in case a HIPAA Audit letter arrives in the mailbox tomorrow.

Click here to download a copy of our November edition of "Health Law Diagnosis" which includes a list of HIPAA compliance items that all covered entities and business associates should have in order to be prepared for a HIPAA Audit.