By ROLF E. LOW
The Health Information Technology for Economic and Clinical Health Act (the HITECH Act) enacted as part of the American Recovery and Reinvestment Act of 2009 contains several provisions intended to strengthen Privacy and Security Rules in the Health Insurance and Portability Accountability Act of 1996 (HIPAA). One of these provisions gives state attorneys general (SAG) the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules.
The Health and Human Services Office of Civil Rights, which has oversight of HIPAA violations at the federal level, is also involved in actions brought by SAGs. The Office of Civil Rights provides a training module to assist SAGs in investigating and seeking damages for HIPAA violations on behalf of state residents. SAGs contemplating filing a civil action for HIPAA violations are encouraged but not required to contact the regional office of the Office of Civil Rights to discuss potential actions. SAGs are also required to notify and serve Health and Human Services with a copy of the complaint they intend on filing at least 48 hours prior to filing an action, unless notice is not feasible. While Health and Human Services is required to investigate any HIPAA complaints and review and reports of a breach or disclosure, SAG enforcement is allowed but not required under the act.
SAG enforcement has produced some significant payments to states. In one of the initial filings under the HITECH Act Connecticut Attorney General Richard Blumenthal filed suit against Health Net after it allegedly lost a computer disk drive containing protected health information (PHI), and other private information of over 500,000 Connecticut residents. Health Net ended up paying Connecticut $250,000 to settle the lawsuit. In 2012, Minnesota Attorney General Lori Swanson filed a lawsuit against Accretive Health, a business associate and debt collection agency of a covered entity. Accretive Health allegedly lost a laptop containing unencrypted PHI of about 23,500 Minnesota residents, which led to an investigation by Swanson’s office. After the investigation, Swanson filed suit against Accretive alleging violations of state and federal privacy laws. Accretive Health eventually agreed to a $2.5 million settlement.
Michigan has also seen enforcement in this area. Earlier this year Michigan Attorney General Dana Nessel, along with SAGs from; Arizona, Arkansas, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin settled a multi-state lawsuit with Medical Informatics Engineering (MIE). Hackers allegedly infiltrated a Web application run by MIE, compromising PHI of more than 3.9 million people. The suit alleged that MIE violated provisions of HIPAA and various state data breach and personal information protection acts. MIE ended up paying $900,000 to settle the matter, with Michigan receiving $25,283. This was the first multi-state action settled under the HITECH Act. In a statement related to the MIE settlement Nessel said her office should be notified at the onset of a data breach but acknowledged there is no law that requires notification.
The recent data breach associated with Quest Diagnostics involving over 12 million patients is also on Nessel’s radar screen. Her office sent a request for information concerning the data breach to American Medical Collection Agency, Quest Diagnostics and Optum 360, the three companies allegedly responsible for the data breach.
Nessel’s request concerning the Quest Diagnostic data breach and the recent settlement with MIE suggest this is an area her office will continue to monitor. As a result, covered entities and business associates should ensure they take SAG enforcement into consideration when reviewing or drafting policies, and when a breach or disclosure occurs. For additional information or assistance please contact Rolf Lowe, Esq. of Wachler & Associates at (248) 544-0888.