Court Declines to Dismiss Claims Against Business Associate Subcontractor Responsible for HIPAA Breach

CVS Pharmacy, Inc. v. Press America, Inc., 2018 WL 318479 (S.D.N.Y. 2018)

A federal court has declined to dismiss a lawsuit filed by a pharmacy benefit manager (PBM) against a mail service that violated the HIPAA privacy rule when it misaddressed mail and improperly disclosed protected health information (PHI) of 41 individuals. The PBM, which contracted with a group health plan to provide mail-order pharmacy services, subcontracted certain functions to the mail service. Both the PBM and the mail service were subject to HIPAA privacy and security rules—the PBM as the health plan’s business associate and the mail service as a business associate subcontractor. According to the PBM, the mail service’s unauthorized disclosures violated a performance standard under the PBM’s contract with the health plan and triggered a payment of over $1.8 million by the PBM to the plan. The PBM then sought indemnification from the mail service, both under its business associate subcontract and common-law principles, and also contended that the mail service was negligent. The mail service moved to dismiss these claims.

Read more on EBIA.

About the author: Dissent