Ask the Legal Expert about ... disclosure of resident information

John Durso, Esq.  Nixon Peabody LLP
John Durso, Esq. Nixon Peabody LLP

I trusted my software vendor but wound up having some resident personal information made available to the public. If a resident pursues a claim against us, can we seek damages from the vendor? What is our liability?

The limits to which a senior care facility is liable for a vendor's disclosure of personal information depends on several factors. The facility should first determine what happened, including the vendor's role and the facility's role. 

Importantly, the facility should determine what type of information was disclosed or made available, how many residents were affected and whether any unauthorized party accessed this information. 

The next step is to work with the vendor to secure the information and mitigate any potential damage.

If the incident is determined to be vendor error, then the facility should carefully review its agreement with the vendor. The facility should determine whether the vendor complied with any breach notification provisions and if the agreement contains indemnity or limitation of liability clauses.   

The facility next should analyze any applicable state and federal laws to determine whether any resident, agency or media notification is required. For example, protected health information of skilled nursing residents comes under the aegis of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). If protected health information is involved, the facility and vendor should comply with the HIPAA requirements. State laws also may require additional notifications.

If a resident files a claim against the facility, it may be able to seek restitution or otherwise pursue the software vendor if the facts show that the issue was caused by the vendor.