Call
Summary
In Ford v. Sandhills Med. Found., Inc., 97 F.4th 252 (4th Cir. 2024) the Fourth Circuit reversed the district court’s grant of immunity to Sandhills Medical Foundation, a Federally Qualified Health Center (“FQHC”), under § 233(a) of the Public Health Service Act, following a data-breach. The appellate court held that the data-breach did not constitute a “related function” to medical services, and therefore, Sandhills was not entitled to immunity under§ 233(a).
Factual Background and District Court’s Decision
The case originated from a data-breach at Sandhills, a nonprofit health center in South Carolina. The data-breach resulted in the theft of electronically stored personally identifying information of its patients, including the appellant, Joann Ford. Ford was a former patient who had provided her PII to Sandhills in the course of her treatment. Ford brought a putative class-action against Sandhills, seeking damages in connection with the theft of her PII.
As a FQHC, Sandhills is immune from suits for “damage for personal injury, including death, resulting from the performance of medical, surgical, dental, or related functions . . . while acting within the scope of his office or employment” and the United States is substituted as a defendant in place of Sandhills. 42 U.S.C. § 233(a). The district court concluded that the data-breach arose from Sandhills’ performance of “medical, surgical, dental, or related functions,” and therefore, it was immune under § 233(a). The district court reasoned that because Sandhills required Ford to provide her PII in order to receive medical services, the breach of its systems containing such information arose out of Sandhills’ performance of medical or “related functions” within the meaning of § 233(a). The district court supported this conclusion by pointing to Sandhills’ statutory requirement to maintain the confidentiality of patient records.
District courts across the county that have addressed the issue are split on whether FQHCs are immune from suit for data-breaches under § 233(a). Compare Mixon v. CareSouth Carolina, Inc., 4:22-cv-00269-RBH, 2022 U.S. Dist. LEXIS 98603 (D.S.C. June 2, 2022) (FQHCs are immune from suit for data-breaches under § 233(a)); Doe v. Neighborhood Healthcare, 3:21-cv-01587-BEN-RBB, 2022 U.S. Dist. LEXIS 225533 (S.D. Cal. Sep. 8, 2022) (same); Krandle v. Refuah Health Ctr., Inc., 22-CV-4977 (KMK), 2024 U.S. Dist. LEXIS 43254 (S.D.N.Y. Mar. 12, 2024) (same) with Hale v. Arcare, Inc., 3:22-CV-00117-BSM, 2024 U.S. Dist. LEXIS 40993 (E.D. Ark. Mar. 8, 2024) (data breach litigation not immune under § 233(a)); Marshall v. Lamoille Health Partners, Inc., No. 2:22-cv-166, 2023 U.S. Dist. LEXIS 64953 (D. Vt. Apr. 13, 2023) (same).
The Fourth Circuit’s Reasoning
The Fourth Circuit reversed, and held that Sandhills was not immune from suit because the data security measures implemented by Sandhills did not qualify as a “related function” under § 233(a).
The appellate court examined the relationship between the actions taken by Sandhills in storing PII and the actual provision of medical services. The court distinguished between the necessary administrative tasks associated with healthcare provision, like record keeping and data storage, and the medical, surgical, or dental functions directly related to patient treatment and care. The court held that in order to qualify as a “related function” under § 233(a), the activity must depend on a medical, surgical, or dental professional’s skill, knowledge, or judgment. The court noted that while administrative actions such as storing PII are indispensable to modern healthcare, they do not directly involve decisions or actions in diagnosing, treating, or preventing diseases, which are the core activities meant to be shielded by the statute. As a result, the data breach litigation did not qualify for § 233(a) immunity, and Sandhills was required to defend the suit. The appellate court remanded the case back to the district court for further proceedings.
Significance Of This Decision for Federally Qualified Health Centers
While district courts across the country are split on whether FQHCs are immune from suit for data-breaches, the Fourth Circuit’s decision in Sandhills is the first Circuit Court to address this issue. This decision is particularly significant for FQHCs because it clarifies the scope of activities that are immune from suit as “related functions” under §233(a). The court’s narrow interpretation of § 233(a) suggests that FQHCs cannot expect immunity under §233(a) for suits unrelated to the core provision of medical care. This could impact how FQHCs manage their litigation risk, potentially leading to changes in how they contract with third parties for storing sensitive patient information and other administrative tasks.
If you have any questions about this article, or about other regulations or litigation affecting FQHCs, please do not hesitate to contact Sam Kadosh at [email protected].
