State AGs Stepping Up HITECH Enforcement

Dom Nicastro, March 30, 2010

Connecticut Attorney General Richard Blumenthal is investigating his second case involving HIPAA violations this year, using again a legal authority granted to state attorneys general under the HITECH Act signed into law February 2009.

Blumenthal's office confirmed in a statement Monday that it is pursuing a case involving allegations that a radiologist formerly affiliated with a Connecticut hospital improperly had access to the records of nearly 1,000 of the hospital's patients.

Three months ago, Blumenthal announced he was suing Health Net of Connecticut, Inc., after the insurer reportedly failed to secure private medical records and financial information of 446,000 Connecticut members and then did not promptly notify them of the possible security breach for six months.

Jeff Drummond, health law partner in the Dallas office of Jackson Walker LLP and author of HIPAA Blog, says the power granted to state AGs to pursue lawsuits is a major change for HIPAA enforcement.

"Combined with the ability of individuals to get a 'piece of the pie' when penalties are handed out, this will be the biggest game-changer in HITECH," says Drummond.

The hospital involved in this week's case is Griffin Hospital of Derby, CT, a 160-licensed-bed facility that handled about 7,500 admissions last year (179,000 outpatients). Griffin confirmed the breach of protected health information (PHI) in a statement on its Web site.

From February 4 to March 5, Griffin said an investigation revealed a radiologist previously affiliated with the hospital or on the hospital's medical staff used the passwords of other radiologists and an employee within the radiology department to gain access to 957 patient radiology reports on the hospital's Digital Picture Archiving and Communication System (PACS). The reports included patient name, exam date, exam description, gender, age, medical record number, and date of birth, according to the facility.

The radiologist, once contracted with Griffin for radiology professional services, had authorized access to the hospital's PACs system. However, his employment with the radiology group was terminated on February 3, 2010, Griffin says, and his password revoked.

But through its investigation, Griffin learned of a repeated, unauthorized access from a single computer to its PACS. Its audit identified the former employee's computer Internet Protocol Address as the one that made the inappropriate access.

The former employee downloaded the image files of 339 of these patients, Griffin said.

HealthLeaders Media on Tuesday asked a Griffin Hospital spokesperson if the former radiologist sought personal financial gain by recruiting the hospital's clients. Bill Powanda, vice president at Griffin and the hospital's spokesperson for the incident, said, "that will all come out in the investigation."

"These charges, if true, are deeply disturbing," Blumenthal said in a statement. "Patients rightly expect and demand that their medical information remain secure and confidential, viewed only by authorized individuals. Unauthorized accessing of patient information is a violation of the federal HIPAA law that my office is empowered to enforce. I will seek strong and significant sanctions, if warranted by the facts."

Dom Nicastro Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.
Facebook icon
LinkedIn icon
Twitter icon