HIPAA enforcement by state attorneys general: The shape of things to come

Connecticut Attorney General Richard Blumenthal entered a brave new world yesterday, as the first state AG to file a HIPAA enforcement action under the “Son of HIPAA” amendments found in the HITECH Act.  Among other HIPAA changes made in the new law (all of which should be of concern to health care providers, health care payors, health care clearinghouses  — “covered entities” or CEs — and their “business associates” — vendors who touch electronic protected health information or ePHI), there is a provision that permits state attorneys general to file HIPAA enforcement actions on behalf of the people of their state, in order to protect their interests, and to seek injunctive relief and/or money damages.  See Sec. 13410(e) of ARRA (p. 160 of HR 1 PDF).

The basic facts of the case are not unfamiliar:  A hard drive gone missing from a health insurance company’s offices, this one with unencrypted information about 250,000 plan members.  The insurer, Health Net, failed to promptly notify data subjects that the data had gone missing, taking six months to issue a notice and letters to affected individuals and offer credit monitoring and repair for anyone affected.  Unfortunately, data breaches are all too common.  See, for example, my post on the Virginia health data breach last year, and the recent Chilmark Research post asking, in essence, whether we can reasonably expect a breach-free world.

While asserting a HIPAA claim is new territory for state AGs, the crux of the claim is really a consumer protection claim, one of the state AGs’ mainstays.

The Connecticut AG (ONC chief David Blumenthal’s brother, by the way) said in a press release:

Sadly, this lawsuit is historic — involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA. Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months — most likely by thieves — before Health Net notified appropriate authorities and consumers.

These missing medical records included some of the most personal, intimate patient information — exposing individuals to grave embarrassment and emotional distress, as well as financial harm and identity theft.

The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable. Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers.

Failing to protect patient privacy blatantly violates federal law and Health Net’s public trust. We are seeking a preliminary order to protect patients and consumers, and will fight for civil penalties.

The press release continues:

Despite its own policies and requirements of federal law, Health Net failed to encrypt this private and protected information or promptly notify Connecticut residents whose personal information may have been compromised.

. . .
Blumenthal’s lawsuit alleges that Health Net failed to effectively supervise and train its workforce on policies and procedures concerning the appropriate maintenance, use and disclosure of protected health information.

It is unclear from published reports what Blumenthal is seeking to accomplish that Health Net has not already committed to do.

The takeaway point for other covered entities and business associates:  An ounce of prevention is worth a pound of cure.  Get into full compliance — and stay there — so that you don’t become a test case (or an opportunity for a state AG to get some press for being tough on HIPAA scofflaws).  Not only do you need to adopt the policies and procedures called for under the Son of HIPAA rules — encryption, breach notification, beefed-up business associate agreements, and monitoring of business associates’ policies and procedures — you need to be sure that the policies and procedures are tailored to your business processes, that your personnel are fully-trained on the content and the importance of these policies and procedures, and that they are actually being followed in real life.

I’ve been talking to a lot of folks about these sorts of reviews as February compliance dates are upon us for some of the changes outlined above … Nobody wants to be remembered as the Son of HIPAA test case.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting