A Federal District Court in Florida Finds Hospital System Properly Terminated a Professional Services Contract for a HIPAA Breach

By Jerry Gaffaney

The U.S. District Court for the Southern District of Florida found on June 20, 2013 that defendant Community Health Systems, Inc., and its affiliated hospital, Salem Hospital (collectively, “CHS”) properly terminated a Professional Services Agreement it had with Managed Care Solutions, Inc. (“MCS”) for breach of contract after determining that Nichole Scott, one of MCS’s employees, misappropriated Protected Health Information (“PHI”) from the hospital. Ms. Scott misappropriated PHI from the hospital’s patients including patients’ checks, credit card numbers and social security numbers.

The Business Associate Agreement (“BAA”) between CHS and MCS provided, among other things, that in the event MCS breached its obligations under the BAA, CHS could terminate both the BAA and the Professional Services Agreement. After CHS terminated the Professional Services Agreement with MCS as a result of Ms. Scott’s misappropriation of its patients’ PHI, MCS sued CHS for breach of contract. The Florida District Court granted CHS’s motion for summary judgment and dismissed the lawsuit.

The lesson from this case is that healthcare entities should have clear cross-default provisions in their Professional Services Agreements with their business associates and in their Business Associate Agreements that allow them to terminate the Professional Services Agreement or take other appropriate remedial action in the event of a breach by the business associate of its obligations under the Professional Services Agreement and/or under the Business Associate Agreement.