Imagination Is Essential For Good Legal Defense

Previously published in Healthcare News and Healthcare Michigan.

Growing up, my family played an unusual game around the dinner table. After sharing about our days, my dad (also a health care attorney) would ask my sisters and me to argue. He'd pick a topic, such as why my younger sister should have a later bedtime than me, or what movie we should rent at Blockbuster, and then we'd each be given roughly three minutes to present our arguments and another minute for rebuttal. The most challenging (and fun) part of the game was that we always had to argue the side other than what we naturally would have wanted. As it turns out, my dad gave my sisters and me a gift with this game – the ability to think critically about a topic, and a lifelong tool for how to critique our own arguments to make them stronger and recognize the strengths and weaknesses of others' arguments. My little sister and I both became attorneys (my older sister became an educator) and all three of us use these skills every day.

Learning to identify your opponent's strongest arguments paves the way for the strongest defense and for resolution. Here are questions I ask regularly when evaluating a case:

If everything the opposing side alleges is true, can I still win? Which specific facts that the opposing side claims are true are actually incorrect? Can I prove they are incorrect? Do the specific laws that opposing counsel says govern this dispute actually say what opposing counsel believes they say? Can those rules reasonably be interpreted differently, or indeed, do they apply at all here?

Take a real-world example that is all too common for health care providers and entities: the dreaded HIPAA breach. The best way to identify the appropriate course of action in regard to HIPAA breach concerns (and when conducting the required risk analysis) requires imagination. When clients ask me if a particular unauthorized disclosure constitutes a reportable HIPAA breach, the underlying question I have while walking through the risk factors is: "If I were a pirate or a professional hacker, what could I possibly reasonably do with the information that has been inadvertently shared?"

Examples of Common Non-Malicious HIPAA Unauthorized Disclosure Issues that Cross My Desk

• An email forwarded to the wrong person containing a patient (or several patients') PHI.
• Forgetting to "bcc" patients and instead including everyone on the "to" or "cc" line.
• Not logging out of an EMR or other program on the computer, inadvertently allowing a patient waiting in the room to view (and possibly take pictures on their phone, etc.) of another patient's medical history, name, etc.

These examples are common, preventable mistakes. Each instance of a suspected or known HIPAA breach needs to be examined to determine exactly what information was disclosed, where it went, and what mitigating efforts can be or have been taken to prevent further unauthorized disclosure.

A Quick Refresher While We're on the Topic of HIPAA Breaches

• What is PHI? Protected health information means "individually identifiable health information" that is transmitted or maintained in electronic media or in any other form or medium, with a few exceptions.¹
• What is Individually Identifiable Health Information? "Any information collected from an individual that – (A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and – (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual."²
• What are some of the questions to consider when determining if an unauthorized disclosure constitutes a reportable breach?³
  • What is the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification?
  • Where did the unauthorized-for-disclosure information go? Were the unintended recipients also covered entities who are themselves required to comply with HIPAA? Or did the information go to the (hopefully rare) angry patient with too much time on their hands, or to a professional-level hacker?
  • Was the PHI actually acquired or viewed (or was there only a possibility that it was)?
  • Has the risk to the PHI been mitigated to prevent further unauthorized disclosure and/or to successfully retrieve the information? How? Did the attempted mitigation actually help or did it accidentally create a secondary issue in need of its own review?
• HIPAA breach notification and reporting requirements now also apply to breaches of substance use disorder records covered under 42 CFR Part 2.

Consequences of Failing to Conduct Risk Analyses

It is important to make sure your entity conducts and that each staff member attends regular HIPAA compliance training and refresher courses. It is incredibly easy to make mistakes and it is vitally important to avoid those mistakes. Just as important, make sure your entity is up-to-date with Security Rule requirements, which include significant risk analysis updates.⁴

In a recent example from this summer, HHS' Office for Civil Rights (OCR) announced a $225,000 settlement including a two-year corrective action plan with a behavioral health provider over unauthorized disclosures of electronic PHI. The information disclosed included discharge summaries that were mistakenly publicly viewable online (with patient names, DOB, patient identification numbers, facilities, and diagnoses) for over a year. Later, the same entity experienced a ransomware attack and extortion threats, affecting over 171,000 individuals.⁵

Based on its investigation into both incidents, OCR found that the entity "failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI that it held."⁶

OCR has made clear that they will enforce the HIPAA Security Rule, and as this example shows, will investigate, fine, and monitor entities that fail to conduct comprehensive risk analyses.

Whether your entity needs to review an unauthorized disclosure incident to determine if it is a reportable HIPAA breach, is in the process of conducting a Security Rule risk analysis, or is caught in any other type of legal dispute, it pays to think outside the box and understand both your own and your opponent's strongest arguments. It also makes excellent dinner table conversation (de-identified, of course).

Footnotes

^{1. See 45 CFR § 160.103}

2. See 42 USC § 1320d(6)

3. See 45 CFR § 164.402

4. You can read more about the proposed HIPAA Security Rule update here: https://healthlawblog.dickinson-wright.com/2025/02/security-security-hhs-proposes-updates-to-hipaas-security-rule/

5. You can find the Resolution Agreement entered into for this case here: https://www.hhs.gov/sites/default/files/ocr-hipaa-racap-deer-oaks.pdf.

6. See https://www.hhs.gov/press-room/ocr-hipaa-racap-deer-oaks.html

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.