Connecticut Attorney General Richard Blumenthal entered a brave new world yesterday, as the first state AG to file a HIPAA enforcement action under the “Son of HIPAA” amendments found in the HITECH Act. Among other HIPAA changes made in the new law (all of which should be of concern to health care providers, health care payors, health care clearinghouses — “covered entities” or CEs — and their “business associates” — vendors who touch electronic protected health information or ePHI), there is a provision that permits state attorneys general to file HIPAA enforcement actions on behalf of the people of their state, in order to protect their interests, and to seek injunctive relief and/or money damages. See Sec. 13410(e) of ARRA (p. 160 of HR 1 PDF).
The basic facts of the case are not unfamiliar: A hard drive gone missing from a health insurance company’s offices, this one with unencrypted information about 250,000 plan members. The insurer, Health Net, failed to promptly notify data subjects that the data had gone missing, taking six months to issue a notice and letters to affected individuals and offer credit monitoring and repair for anyone affected. Unfortunately, data breaches are all too common. See, for example, my post on the Virginia health data breach last year, and the recent Chilmark Research post asking, in essence, whether we can reasonably expect a breach-free world.
While asserting a HIPAA claim is new territory for state AGs, the crux of the claim is really a consumer protection claim, one of the state AGs’ mainstays.
The Connecticut AG (ONC chief David Blumenthal’s brother, by the way) said in a press release:
Sadly, this lawsuit is historic — involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA. Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months — most likely by thieves — before Health Net notified appropriate authorities and consumers.
These missing medical records included some of the most personal, intimate patient information — exposing individuals to grave embarrassment and emotional distress, as well as financial harm and identity theft.
The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable. Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers.
Failing to protect patient privacy blatantly violates federal law and Health Net’s public trust. We are seeking a preliminary order to protect patients and consumers, and will fight for civil penalties.
The press release continues:
Despite its own policies and requirements of federal law, Health Net failed to encrypt this private and protected information or promptly notify Connecticut residents whose personal information may have been compromised.
. . .
Blumenthal’s lawsuit alleges that Health Net failed to effectively supervise and train its workforce on policies and procedures concerning the appropriate maintenance, use and disclosure of protected health information.
It is unclear from published reports what Blumenthal is seeking to accomplish that Health Net has not already committed to do.
The takeaway point for other covered entities and business associates: An ounce of prevention is worth a pound of cure. Get into full compliance — and stay there — so that you don’t become a test case (or an opportunity for a state AG to get some press for being tough on HIPAA scofflaws). Not only do you need to adopt the policies and procedures called for under the Son of HIPAA rules — encryption, breach notification, beefed-up business associate agreements, and monitoring of business associates’ policies and procedures — you need to be sure that the policies and procedures are tailored to your business processes, that your personnel are fully-trained on the content and the importance of these policies and procedures, and that they are actually being followed in real life.
I’ve been talking to a lot of folks about these sorts of reviews as February compliance dates are upon us for some of the changes outlined above … Nobody wants to be remembered as the Son of HIPAA test case.
David Harlow
The Harlow Group LLC
Health Care Law and Consulting
Losing a hard drive is serious issue. However, mention HIPPA to any practicing physician, like me, and you will be greeted by head shaking and eye rolls. For most of us, HIPPA in only another paperwork burden that offers no meaningful benefit to patients. It’s another long form we throw at them when they come to see us. All of us, particularly patients, are suffering from ‘form fatigue’. Signing them becomes a pro forma exercise. Hospitalized patients can sign half a dozen forms before they reach their ward. Physicians have always practiced in a culture of confidentiality. HIPPA hasn’t helped us or our patients.
Many of the highly-publicized data breaches (including the one that is the subject of this post) have been those of health care insurers (since they hold the data of large numbers of patients or providers); however, providers have upon occasion been the source of the breaches as well. Like it or not, HIPAA is the law of the land, and recent changes have upped the ante, and increased potential fine levels to the $1m range, in addition to empowering 50 state attorneys general to enforce the rules. For more information see these posts: Son of HIPAA Breach Notification Rules http://j.mp/3pWgop and Son of HIPAA Breach Notification Rules and Business Associate Requirements: Who’s Ready? http://j.mp/iaZlt. If you are experiencing HIPAA form fatigue, then let me suggest that in addition to the changes you need to roll out next month, you add in information about patients’ health data rights, and perhaps your willingness to go above and beyond local legal requirements in terms of providing access to patient medical records. This could be a way to differentiate and market your practice and institution. See my post about the Declaration of Health Data Rights at http://j.mp/qbGoj.
Thanks for your response, David. Of course, we are complying with the law of the land. My point is that HIPPA is not remedying any glaring confidentiality lapse in physicians’ offices, as we always have been tight on this issue. You recall that HIPPA had some absurd provisions when it was first launched, that were since relaxed. With regard to your suggestion to ‘go above and beyond legal requirements’ with regard to upcoming paperwork requirements, would I still have time in the day to practice actual medicine? I presume that we both agree than many ‘solutions’ to problems use too wide a net, instead of a scalpel.
Under HITECH, does the state enforcement authority extend to federal facilities (e.g. military and VA hospitals)?
State AGs are authorized to step in to protect the rights of residents of their states. No exclusion for federal facilities … Here’s the statutory language:
42 U.S.C. 1320d–5(d) ENFORCEMENT BY STATE ATTORNEYS GENERAL.—
(1) CIVIL ACTION.—[I]n any case in which the attorney general of a State has reason to believe that an interest of one or more of the residents of that State has been or is threatened or adversely affected by any person who violates a provision of this part, the attorney general of the State, as parens patriae, may bring a civil action on behalf of such residents of the State in a district court of the United States of appropriate jurisdiction—
(A) to enjoin further such violation by the defendant;
or
(B) to obtain damages on behalf of such residents of the State ….