HIPAA Faces HITECH-Empowered State AGs
Now, it’s a matter of waiting to see what other states besides Connecticut will do, Apgar notes.
“California didn’t wait for HITECH and enacted its own laws that already have had an impact on healthcare entities in California,” Apgar says. “Given that, I would not be surprised to see the California AG getting into the act in the near future.”
Naturally, state attorneys general are not the only enforcers of HIPAA. OCR will release an enforcement audit plan per HITECH. It already posts names of entities reporting breaches of unsecured PHI affecting 500 or more individuals; that number, since the breach notification website went live in February, is up to 121 as of Monday, July 26.
Further, this month’s proposed rule clarifies that the HHS secretary will investigate any HIPAA violations involving “willful neglect,” or when a covered entity or business associate has no control over preventing a breach and does nothing to correct other breaches.
However, state attorneys general in the enforcement mix means covered entities and BAs are more on the hook for breaches than ever—starting with Health Net.
“The damage to Health Net is the adverse publicity and the potential for the filing of civil suits by individuals who believe they have been harmed,” says Apgar. “Given the size of Health Net there isn’t really any sting from the fine itself— more the publicity and the aftermath.”
According to Blumenthal’s office, Health Net allegedly lost a computer disk drive in May 2009 containing PHI and other private information on more than 500,000 Connecticut citizens and 1.5 million consumers nationwide. The missing disk drive contained names, addresses, social security numbers, protected health information and financial information.
The company delayed notifying consumers and law enforcement authorities for about six months from the time of the breach, Blumenthal’s office reported.
The settlement between Health Net and the state includes:
- Two years of credit monitoring by Health Net
- $1 million of identity theft insurance and reimbursement for the costs of security freezes
- “Corrective Action Plan,” including:
- Continued identity theft protection
- Improved systems controls
- Improved management and oversight structures
- Improved training and awareness for its employees
- Improved incentives, monitoring, and reports
- $250,000 payment to the state representing statutory damages
- Additional contingent payment to the state of $500,000, if the lost disk drive is accessed and personal information used illegally, impacting plan members
- Providers Lag as Consumers Set Agenda
- Look Beyond Nurse-Patient Ratios
- Reform Puts Vise Grips on Physicians
- Esther Dyson Launches Population Health Challenge
- Crisis Spurs Healthcare Payment Reform in Arkansas
- Hospital Groups Back NQF Report on Patient Sociodemographics
- Medicare Opt-Out a Viable Physician Strategy
- NPP Demand Rising Under Value-Based Care Models
- ICD-10 Delay Alters Provider, Vendor Prep
- Boston Marathon Bombing Yields Lessons for Hospitals