HIPAA Faces HITECH-Empowered State AGs
If your organization is paying close attention to the HIPAA proposed rule published in the Federal Register July 14, keep paying attention.
However, perhaps lost in the shuffle of the proposed rule is the July 6 announcement by Connecticut Attorney Richard Blumenthal’s office of the $250,000 settlement Health Net and its affiliates agreed to pay for a breach of protected health information (PHI) affecting nearly a half million Connecticut enrollees.
The settlement is a landmark one. Blumenthal’s office is the first to cash in on the new HITECH-granted authority for state attorneys general to pursue HIPAA lawsuits.
How eager was Connecticut’s state attorney general to use the HITECH power?
HHS has yet to levy any civil penalties against any covered entities (and now business associates) since the HIPAA Privacy Rule was in force April 14, 2003, according to Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR.
That’s more than seven years. Blumenthal’s settlement with Health Net came a little more than one year after HITECH became law.
Blumenthal isn’t alone.
Jeff Drummond, health law partner in the Dallas office of Jackson Walker, LLP, puts adding state attorneys general to the HIPAA enforcement mix this way: “There are 50 new sheriffs in town.”
“Most state AGs are elected, and almost all of them do everything they can to get re-elected,” says Drummond, who will be a co-presenter on the HCPro, Inc. August 31, 2010, audio conference, “HIPAA’s New Proposed Rule: Prepare for Changes to Privacy, Security and Enforcement Regulations.”
“That means they'll be much more susceptible to public or political pressure to pursue HIPAA violations, particularly if there's a ‘good story’ behind the breach. They want to be seen as protecting the little guy, and they're much more incentivized” than the Office for Civil Rights (OCR), which enforces HIPAA for HHS.
Drummond says the power to state attorneys general also means 50 additional state courts where litigation may occur, which could “lead to multiple different interpretations of particular provisions of HIPAA.”
“So, it's almost a certainty that there will be more enforcement litigation, and that litigation will likely lead to different standards in different states,” Drummond adds.