Now, it’s a matter of waiting to see what other states besides Connecticut will do, Apgar notes.
“California didn’t wait for HITECH and enacted its own laws that already have had an impact on healthcare entities in California,” Apgar says. “Given that, I would not be surprised to see the California AG getting into the act in the near future.”
Naturally, state attorneys general are not the only enforcers of HIPAA. OCR will release an enforcement audit plan per HITECH. It already posts names of entities reporting breaches of unsecured PHI affecting 500 or more individuals; that number, since the breach notification website went live in February, is up to 121 as of Monday, July 26.
Further, this month’s proposed rule clarifies that the HHS secretary will investigate any HIPAA violations involving “willful neglect,” or when a covered entity or business associate has no control over preventing a breach and does nothing to correct other breaches.
However, state attorneys general in the enforcement mix means covered entities and BAs are more on the hook for breaches than ever—starting with Health Net.
“The damage to Health Net is the adverse publicity and the potential for the filing of civil suits by individuals who believe they have been harmed,” says Apgar. “Given the size of Health Net there isn’t really any sting from the fine itself— more the publicity and the aftermath.”
According to Blumenthal’s office, Health Net allegedly lost a computer disk drive in May 2009 containing PHI and other private information on more than 500,000 Connecticut citizens and 1.5 million consumers nationwide. The missing disk drive contained names, addresses, social security numbers, protected health information and financial information.
The company delayed notifying consumers and law enforcement authorities for about six months from the time of the breach, Blumenthal’s office reported.
The settlement between Health Net and the state includes: