Amidst the worldwide COVID-19 pandemic, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) is allowing healthcare providers to use technology that is non-HIPPA compliant.

HIPPA is the federal Health Insurance Portability and Accountability Act.  HIPPA regulations protect patients from having their private information disclosed by health care providers, or treated in a manner that puts the information at risk of being disclosed.

On Tuesday, March 17, 2020, the OCR announced, effective immediately, that it will exercise its “enforcement discretion” by not imposing penalties against healthcare providers for HIPAA-violations in certain telehealth circumstances.  Telehealth is the provision of medical services via remote methods, such as telephone or videochat. OCR will not impose penalties for HIPAA violations in the use of telehealth services, but only when used in good faith for treatment or diagnostic purpose. The service does not have to be directly related to COVID-19.  The healthcare provider may use a “non-public facing” (not available for public access) remote communication product if they would like to use audio or video communication technology.

Under the OCR’s notice, popular videochat apps such as the following may be used for telehealth, though they may violate HIPAA rules:

  • Apple FaceTime,
  • Facebook Messenger Video Chat,
  • Google Hangouts video,
  • Skype, or
  • Zoom

However, healthcare providers may not use:

  • Facebook Live
  • Twitch
  • TikTok
  • Or similar video communication apps that are “public facing”

Notwithstanding the relaxed rules, there are several vendors that represent they can provide healthcare video communication products through a HIPPA-compliant business association agreement. Some of these vendors are:

  • Skype for Business/Microsoft Teams
  • Updox
  • VSee
  • Zoom for Healthcare
  • Google G Suite Hangouts Meet
  • Cisco Webex Meetings/Webex Teams
  • Amazon Chime
  • GoToMeeting

Allowing healthcare providers to continue to examine patients during the COVID-19 crisis, while limiting the risks of in-person exposure is a noble goal.  The obvious negative is that many of third-party communication apps, including those referenced by the OCR, pose privacy risks to the patient.  For the vast majority of us, the COVID-19 crisis will be over in due time.  But our personally-identifying information, such as our names, addresses, and social security numbers, is a lot more difficult to change. 

In our opinion, if a healthcare provider intends to utilize a non-HIPPA complaint communication vendor or application, that should be disclosed to the patient and their consent should be obtained – at a minimum. The patient should be informed prior to consenting that using the service may put their private information at risk.  The healthcare provider should take reasonable steps, no matter what particular service is being used, to enable available encryption and privacy protection settings, if available.  HIPAA-complaint vendors and technology should be the clinician’s first choice.

Find the OCR’s Notice here:

For additional information:


Palomar Medical Center in San Diego has just announced that the personal information of 1,300 patients was breached by an employee.  The personal information includes, name, date of birth, gender, medical record number, diagnosis and other information.  Some patients have had their health insurance information, financial data, social security and driver’s license numbers accessed.

A news story reporting the breach is here.

If you received a notice from Palomar Medical Center of this data breach, or you believe that your medical records or personal information was disclosed without your permission, you may be entitled to compensation. Call our office at the number below to discuss your rights.

For further information on your rights when a hospital fails to protect your personal information, click here:  Your Rights In Data Breach Cases.


There is an epidemic of cyber security breaches of consumer’s personal information- no doubt about it. At a fast and furious pace, cyber attacks on hospitals are seemingly coming from anywhere and everywhere. With each breach, hackers’ show increasing boldness and sophistication. Health systems have become a one-stop shop for cybercriminals who not only steal valuable credit card information, but also access even more lucrative confidential patient information. Unlike a credit card that can be cancelled, when personal health information is stolen, the stolen information is at risk of being used illicitly for the rest of the victim’s life because it contains valuable identifying information (such as social security number, birth date, employment record, family member medical history, genetic information and personal health history).

How much information is being stolen?  One recent example involves Banner Health. Over 3.7 million of Banner’s health plan members’ sensitive patient information and valuable payment card information was hijacked. Banner is only one of at least 13 reported health information data breaches that occurred in the single month of August, 2016. The numbers of patients’ personal information being hacked are staggering: For example, 655,000 Bon Secours patients were also exposed to a data breach within just days of the Banner breach.

The number of patient records violated by these recent breaches still pales in comparison to the potential number of overall health records that can be hacked in one fell swoop: In the largest healthcare breach to date, 80 million personal records were stolen from Anthem in 2013, occurring just shortly after the FBI warned that hackers are now targeting health care.

These health care providers are not alone: There have been four reported cyber-thefts of Kaiser Permanente members’ records in the last five years. Healthcare has taken the lead for the most frequently targeted industry for cyber attacks cyber attacks, (edging out even the banking industry.)

No one is immune: Every industry, person, company, and government is at risk for a cyber attack. Over half a billion personal records were stolen or lost in 2015, ransomware increased by 35%, and 9 mega-breaches occurred. Soberingly, most companies are still not reporting the full extent of their security breaches, likely due to commercial reasons. Cybercriminals function in a myriad of ways from infiltrating and paralyzing entire systems and holding them for ransom, to stealing personal data and selling it in an underground market. As economic and political opportunities continue to flourish around breached cybersecurity, so too have the opportunities in the healthcare setting.

What can a consumer whose information has been cyber-stolen do about it? For a long time, there was no remedy. Fortunately, times are changing and there are potential remedies available:

  1. California Medical Information Act

California has one of the more progressive state laws protecting consumers. California Medical Information Act (CMIA). California Civil Code Section 56 et seq. provides:

“No health care provider can disclose or release medical data about a patient without authorization.”

A $4.1 million dollar settlement was paid by Stanford Hospital after 20,000 patients’ bills with sensitive, private patient information was posted online.  The data was posted by Stanford’s business partner it contracted with for purposes of the patients’ emergency room bills.

Settlements under the CMIA are not always a “slam dunk” when cyber hacking of patient records occurs. The California Court of Appeals has attempted to limit liability under the CMIA in the following ways in order for a consumer to win under the CMIA :

     (a)     Disclosure of “individually identifiable information” has been required, such as the patient’s medical history, (such as mental or physical condition) or treatment. Eisenhower Medical Center v. Superior Court (Riverside County) 226 Cal.App.4th 430 (2014).

     (b)     Negligence. While some courts have required proof of negligence, the CMIA does not expressly require this. The California Supreme Court could well find that based on the legislative history, this is a strict liability statuteIn the mean time, negligence may not be difficult to prove. The U.S. Food and Drug Administration (FDA) has found that the most common causes of medical records being hacked include lax password distribution, disabled, weak and/or absent passwords, lack of updated security software and lack of encryption. Who can argue that such rookie moves in the handling of voluminous and sensitive patient information is not negligence? In fact, criminal recklessness comes to mind!

     (c)     Proof: Unauthorized person actually viewed the medical information: It is this proof that an unauthorized person actually viewed the information that has been most difficult for a consumer to establish.  For example, in Regents of the University of California v. Superior Court, 220 Cal. App.4th 549 (2013), a UCLA physician’s laptop containing thousands of patients’ electronic charts was stolen.  Because the patients couldn’t allege that the data was illegally “disclosed” after it was stolen, the case was kicked out. Left uncertain after the UCLA case was whether proof of disclosure was enough for a lawsuit to go forward. While the California Supreme Court has yet to rule on the issue, another Court of Appeal case holds that even disclosure alone isn’t sufficient: a plaintiff must prove that the “stolen medical information was actually viewed by an unauthorized person.” Sutter Health v The Superior Court of Sacramento County (Atkins), 227 Cal.App.4th 1546 (2014). The court held that mere possession of medical information or records by an unauthorized person was insufficient to establish a breach of confidentiality if the unauthorized person has not viewed the records.

All is not lost for consumers: There the California Supreme Court has yet to rule on these issue, and the California Supreme Court could well find that the legislative history imposed no such restrictions on recovery.  Further, as outlined below, federal lawsuits have eased requirements for similar lawsuits.

  1. Federal Class Actions

Recently, there have been pro-consumer decisions rendered by multiple federal Courts of Appeal in consumer class actions.

For example, in September, 2016, the United States Court of Appeals held in Galaria v. Nationwide Mutual Insurance Co. __F.3d. __ (6th Cir. 2016) that where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent purposes alleged in Plaintiffs’ complaints. The court reasoned that where Plaintiffs already know that they have lost control of their data, it would be unreasonable to expect Plaintiffs to wait for actual misuse—a fraudulent charge on a credit card, for example—before taking steps to ensure their own personal and financial security….Where the Plaintiffs allege they and  other putative class members must expend time and money to monitor their credit, check their bank statements, and modify their financial accounts, these costs are a concrete injury suffered to mitigate an imminent harm, and satisfy the injury requirement.

Similarly, the court in Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2016) reasoned: “[w]hy else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make a fraudulent charge or assume those consumers’ identities.”  This is consistent with the Court of Appeal’s rationale in Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), where restaurant customers’ credit-card data was stolen in a data breach, because a “primary incentive” for a breach is to commit fraud.

Closer to home, the Ninth Circuit (which includes California) similarly found standing in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), where employees brought suit after a thief stole a company laptop containing their personal information.

Not all federal Court of Appeals decisions are in favor of consumers on this point.  The Third Circuit reached a different conclusion in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011). In Reilly, a hacker broke into a payroll processor’s network, but it was not clear “whether the hacker read, copied, or understood” the personal data stored on the system.  The plaintiffs whose data was in the system alleged an increased risk of identity theft, but the court concluded that the injuries were too speculative because there would be an injury only, “if the hacker read, copied, and understood the hacked information, and if the hacker attempts to use the information, and if he does so successfully.”  The Third Circuit also distinguished the case from data-breach cases where courts found standing: “Here, there is no evidence that the intrusion was intentional or malicious.”

The pro-consumer decisions in the federal courts may conceivably open the way for similar findings in class actions under the California statute, and the California statute provides for penalties of $1000 per person in addition to actual damages (such as costs associated with changing bank accounts, freezing credit etc.), and the defendant would have to pay all attorney’s fees.

Stay tuned as the state and federal courts scramble to keep up with the raging technological advances that allow cyber-thieves to remotely and repeatedly steal your most cherished private information with the click of a mouse.

If you or someone you know has had their personal medical information or other personal data stolen by a cyber attack in California, please contact us using the button at the bottom of this page, or call 619-238-8700.