Pittsburgh Counselor Pays $15,000 Penalty for HIPAA Right of Access Violation
The HHS’ Office for Civil Rights reported its 44th enforcement action associated with the HIPAA Right of Access initiative. David Mente, MA, LPC, a Pittsburgh, PA-based certified counselor offering psychotherapy services pays a $15,000 financial penalty for violating the HIPAA Right of Access.
The HIPAA Right of Access makes it possible for people to get a copy of their health data. Healthcare providers need to answer requests and give the requested documents within 30 days after receiving the request, but it’s possible to have a 30-day in particular cases. This case arose from a complaint by a father who asked for a copy of his three minor children’s health records from Mente last December 2017. The complainant personally represented his children and must have been given the documents as needed.
After getting the complaint, OCR got in touch with Mente, offered technical support regarding the HIPAA Right of Access, and marked the complaint as resolved. The father submitted another request for a copy of the medical records last April 2018; however, Mente once more did not give the required records, in spite of having gotten technical support from OCR. That prompted the father to submit another complaint with OCR.
This is OCR’s third financial penalty enforced in 2023 addressing potential HIPAA Rules violations. The other financial penalties were a $16,500 settlement with Life Hope Labs LLC and a $1,250,000 settlement with Banner Health.
As per HIPAA, parents are the personal representatives of minor kids and they have a right to get access to their medical records. Getting a copy of a patient’s records should not take six years or several filed complaints. HIPAA-regulated entities must be proactive and do their job to make sure patients and their authorized representatives can get copies of the records.
Federal Court Drops FTC Complaint Against Kochava
The Federal Trade Commission (FTC) filed a complaint against Kochava, the mobile application attribution and analytics firm, but a federal judge dismissed the complaint. There is still an opportunity to open the case with a revised complaint having arguments that show the harm caused to consumers by the actions of Kochava.
The FTC’s legal action against Kochava, submitted in August 2022, claimed the company was vending the geolocation information of consumers collected from their mobile phone devices without their awareness. The geolocation data is connected to every user with a unique ID tag to their device. The FTC contended that the geolocation information can be utilized to identify persons who went to sensitive places like mental health treatment facilities, abortion clinics, places of worship, and other sensitive places. For instance, the information offered by Kochava for sale can be utilized to select women who came from a state that is anti-abortion to a state where abortion is unlawful, permitting the prosecution of those women along with the persons that helped them get an out-of-state abortion. The FTC legal case claimed Kochava got involved in illegal and deceitful business practices, violating the FTC Act. Kochava knew that a lawsuit would possibly be submitted by the FTC and tried to preempt it by submitting its own legal action then wanted to have the FTC lawsuit sacked. Those attempts were partly successful.
At this beginning phase of the lawsuit, the question that had to be clarified by the court was if the FTC had expressed a credible claim versus Kochava. Idaho District Judge B. Lynn Winmill stated in his judgment that the privacy issues brought up by the FTC in the complaint were absolutely legit and that the FTC’s idea that consumers can suffer harm because of the sale of their information was definitely possible. Judge Winmill decided that people will be in danger of secondary harm yet stated the FTC did not point to any particular instances of harm that were caused, just saying a possibility of secondary harm. The FTC did not add any degree of possibility to the risks. Although there exists a risk that geolocation information could be utilized to target persons, the simple probability of injury isn’t enough to permit the lawsuit to move forward.
The FTC asserted that the intrusion of privacy by itself makes up an injury, and although that is true, in this instance, the privacy breach wasn’t confirmed to be adequately severe to match the limit for injury. Particularly, since Kochava was not accused of vending or exposing private data, just selling information from which private data may be deduced from the presence of a person in or around a sensitive place. The geolocation information doesn’t indicate a person has gotten a particular service or went to a place for a particular goal and inferences tend to be unreliable. In addition, location data may be acquired by legal means, like observing an individual visiting a sensitive place and then acquiring the person’s address from public data. Lastly, the FTC’s lawsuit should express, at least roughly, the number of persons that could suffer from privacy violations because of the selling of the information by Kochava. The FTC was unable to convey how many individuals are probably injured.
Although the complaint was dropped, Judge Winmill stated that consumers do not have a reasonable way of steering clear of possible harms that are brought on due to Kochava’s business practices and that whatever benefits are derived from the selling of the information do not offset the harms that may result. The FTC is given another 30 days to resubmit the lawsuit with better arguments that the privacy breach will probably result in considerable harm to individuals.