If your organization is paying close attention to the HIPAA proposed rule published in the Federal Register July 14, keep paying attention.
However, perhaps lost in the shuffle of the proposed rule is the July 6 announcement by Connecticut Attorney Richard Blumenthal’s office of the $250,000 settlement Health Net and its affiliates agreed to pay for a breach of protected health information (PHI) affecting nearly a half million Connecticut enrollees.
The settlement is a landmark one. Blumenthal’s office is the first to cash in on the new HITECH-granted authority for state attorneys general to pursue HIPAA lawsuits.
How eager was Connecticut’s state attorney general to use the HITECH power?
HHS has yet to levy any civil penalties against any covered entities (and now business associates) since the HIPAA Privacy Rule was in force April 14, 2003, according to Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR.
That’s more than seven years. Blumenthal’s settlement with Health Net came a little more than one year after HITECH became law.
Blumenthal isn’t alone.
Jeff Drummond, health law partner in the Dallas office of Jackson Walker, LLP, puts adding state attorneys general to the HIPAA enforcement mix this way: “There are 50 new sheriffs in town.”
“Most state AGs are elected, and almost all of them do everything they can to get re-elected,” says Drummond, who will be a co-presenter on the HCPro, Inc. August 31, 2010, audio conference, “HIPAA’s New Proposed Rule: Prepare for Changes to Privacy, Security and Enforcement Regulations.”
“That means they'll be much more susceptible to public or political pressure to pursue HIPAA violations, particularly if there's a ‘good story’ behind the breach. They want to be seen as protecting the little guy, and they're much more incentivized” than the Office for Civil Rights (OCR), which enforces HIPAA for HHS.
Drummond says the power to state attorneys general also means 50 additional state courts where litigation may occur, which could “lead to multiple different interpretations of particular provisions of HIPAA.”
“So, it's almost a certainty that there will be more enforcement litigation, and that litigation will likely lead to different standards in different states,” Drummond adds.
Now, it’s a matter of waiting to see what other states besides Connecticut will do, Apgar notes.
“California didn’t wait for HITECH and enacted its own laws that already have had an impact on healthcare entities in California,” Apgar says. “Given that, I would not be surprised to see the California AG getting into the act in the near future.”
Naturally, state attorneys general are not the only enforcers of HIPAA. OCR will release an enforcement audit plan per HITECH. It already posts names of entities reporting breaches of unsecured PHI affecting 500 or more individuals; that number, since the breach notification website went live in February, is up to 121 as of Monday, July 26.
Further, this month’s proposed rule clarifies that the HHS secretary will investigate any HIPAA violations involving “willful neglect,” or when a covered entity or business associate has no control over preventing a breach and does nothing to correct other breaches.
However, state attorneys general in the enforcement mix means covered entities and BAs are more on the hook for breaches than ever—starting with Health Net.
“The damage to Health Net is the adverse publicity and the potential for the filing of civil suits by individuals who believe they have been harmed,” says Apgar. “Given the size of Health Net there isn’t really any sting from the fine itself— more the publicity and the aftermath.”
According to Blumenthal’s office, Health Net allegedly lost a computer disk drive in May 2009 containing PHI and other private information on more than 500,000 Connecticut citizens and 1.5 million consumers nationwide. The missing disk drive contained names, addresses, social security numbers, protected health information and financial information.
The company delayed notifying consumers and law enforcement authorities for about six months from the time of the breach, Blumenthal’s office reported.
The settlement between Health Net and the state includes:
- Two years of credit monitoring by Health Net
- $1 million of identity theft insurance and reimbursement for the costs of security freezes
- “Corrective Action Plan,” including:
- Continued identity theft protection
- Improved systems controls
- Improved management and oversight structures
- Improved training and awareness for its employees
- Improved incentives, monitoring, and reports
- $250,000 payment to the state representing statutory damages
- Additional contingent payment to the state of $500,000, if the lost disk drive is accessed and personal information used illegally, impacting plan members
Timeline of the Attorney General's Office:
Connecticut Attorney General Richard Blumenthal’s actions regarding data breaches after HITECH was signed into law February 17, 2009:
July 14, 2010—Attorney General Urges Identity Theft Protections, Explanation For Teachers Impacted By Security Breach
April 20, 2010—Attorney General Seeks More Details About Student Loan Data Breach Involving 3.3 Million
March 29, 2010— Attorney General Investigating Alleged Unauthorized Access Of Patient Information At Griffin Hospital
January 13, 2010— Attorney General Sues Health Net For Massive Security Breach Involving Private Medical Records And Financial Information On 446,000 Enrollees
December 7, 2009—Attorney General Says Health Net Security Breach Concerns Worsen After Report Reveals Breach Was Likely Theft
November 9, 2009— Attorney General Investigating Blue Cross Blue Shield Data Breach Affecting 18,000 CT Health Care Professionals, Seeks Additional Protection For Victims
June 23, 2009—Attorney General Announces State To Receive Almost $400,000 From TJMaxx Owner In Data Breach Settlement
Source: Connecticut AG website: http://www.ct.gov/ag/site/default.asp
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.