Is a hospital a “consumer reporting agency”? Can a health care provider be liable under the Fair Credit Reporting Act (FCRA) in the event of a data breach? The Seventh Circuit Court of Appeals recently considered these significant questions in the case of Tierney v. Advocate Health & Hosps. Corp. (7th Cir., No. 14-3168, August 10, 2015). The defendant, Advocate Health, an Illinois-based health system, experienced a significant data breach in July 2013, in which four desktop computers containing data relating to four million patients were stolen from Advocate’s administrative offices. The plaintiffs, who had been victims of the data breach, brought claims for willful and negligent violation of FCRA. FCRA requires “consumer reporting agencies” to “maintain reasonable procedures” to prevent the disclosure of “consumer reports” to unauthorized third parties.
In ruling that Advocate did not meet the definition of a “consumer reporting agency,” the Seventh Circuit closely examined each element of the statutory definition, while also making a refreshingly simple observation: “Advocate is . . . a ‘network of affiliated doctors and hospitals that treat patients’—not a credit or consumer reporting company.” Hospitals and other health care providers already facing extensive regulation of their privacy and data security practices under HIPPA, HITECH and various other sources of federal and state law will be relieved to know that at least one federal circuit court has decided not impose another layer of regulatory compliance on their operations.