State AGs look to ramp up general HIPAA enforcement
Efforts by the federal Office of Civil Rights to investigate data breaches at healthcare organizations are of great concern to security and compliance officers at healthcare organizations. That can represent potential disruption, cost and reputational damage. However, the possibility of a State Attorney General (AG) action is often underestimated and overlooked, according to a recent report from Clearwater, a supplier of cyber risk management and HIPAA compliance solutions.
“State AGs are becoming much more active and now banding together to initiate multi-state suits,” asserts a report by Clearwater’s Mary Chaput, a member of its board directors and formerly its CFO and chief compliance officer. “They are following OCR’s lead and bringing their own actions on healthcare organizations that have violated HIPAA regulations, most recently in cases where there has been a failure to conduct a risk analysis of all information systems that maintain, receive, create or transmit ePHI.”
OCR prods state AG enforcement
OCR has been encouraging state AGs to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules since the 2009 passage of section 13410(e) of the HITECT Act in 2009. The federal agency promised to collaborate with state AGs seeking to bring civil actions to enforce HIPAA rules, provide guidance on the statute and assist state AGs in exercising their new enforcement authority.
Slow uptake, spotty enforcement
But it’s taken a little time for state AGs to get involved in these actions, although some have been more active than others. The earliest HIPAA enforcement action was undertaken in 2010 by the Connecticut attorney general against Health Net for the theft of a portable hard drive and notification delay. About 446,000 Connecticut residents were affected, costing Health Net $250,000. In 2011, the AG of Vermont also took action with Health Net for $55,000 on behalf of 525 of its residents.
State AG efforts gain traction
Activity picked up in 2012. The Minnesota attorney general settled a lawsuit with Accretive Health for $2.5 million for sharing patient information of 23,000 residents without a business associate agreement; the settlement banned the company from operating in Minnesota for two years. The Massachusetts State attorney general fined South Shore Hospital $750,000 on behalf of 800,000 residents for providing unencrypted data tapes to a subcontractor to erase and resell. In 2013, the Massachusetts AG fined Goldwait Associates $140,000 for throwing health records of 67,000 residents into a public dumpster, and that state’s office reported three enforcement actions in 2014, totaling $290,000 in fines.
Empire State AG enforcement grows
· New York’s state attorney general has increased its enforcement actions in recent years. These include: · University of Rochester Medical Center, $15,000 fine for insufficiently training nurse practitioner who shared patient information (2015) · CoPilot Support Services, $130,000, for permitting unauthorized access to health records of 220,000 residents (2017) · Aetna, $1.15 million, for revealing HIV/AIDS status through a mailing label error (2018) · Arc of Erie County, $200,000, for a business associate exposing sensitive protected health information (2018) · Emblem Health, $575,000, revealing Social Security numbers on mailing labels (2018)
Additional 2018 settlements on the books
The New Jersey AG settled with Virtua Medical Group for $418,000, settling charges it didn’t protect ePHI sent to a transcription firm; and Emblem Health for $100,000, for revealing Social Security numbers.
The Massachusetts AG settled with UMass Memorial Health Care for $230,000 for two incidents of employees accessing patients’ PHI; McClean Hospital, $75,000, for losing four unencrypted backup computer tapes with psychiatric patients’ information; and Yapstone, a payment processor, for $155,000 for an unprotected website that contained Social Security numbers.
Multistate actions commence
The first multistate settlement by state AGs—involving Connecticut, New Jersey, Washington and the District of Columbia—was reached in October 2018 with Aetna for $640,000. In early 2019, Aetna was hit with a $935,000 settlement from California’s AG.
Most recently, Medical Informatics Engineering agreed to pay $900,000 in a multi-state lawsuit involving 16 State AGs. The Indiana EMR service business associate didn’t perform a comprehensive risk analysis before its server was hacked in May 2015, breaching the data of 3.5 million patients from several healthcare clients who were residents of the 16 states, Clearwater reports.
Patients amp up pressure over privacy
Patients are frustrated and angry with the number of breaches that are occurring in the healthcare industry, Clearwater contends. “This is an important issue for constituents and one where we believe state AGs, as well as state politicians, will continue to demonstrate to their residents that they are taking action,” it says. “Our prediction is there will be very little mercy shown for any organization that fails to comply with requirements of HIPAA, and especially for those that experience a breach, and are found not to have conducted a risk analysis that might have identified the vulnerability that was exploited.”
Where state AGs likely will focus their attention next
Clearwater recently had the opportunity to consult on a large state AG lawsuit enforcement action, and based on that experience, it offers the following perspective. “Of the 21 state AG enforcement actions, 16 of them (76 percent) involved ePHI; the only way anyone can understand and prioritize risk mitigation in a cybersecurity program is to conduct a bona-fide OCR-quality risk analysis,” it contends.
What healthcare organizations need to do
Healthcare security pros must have a firm grasp of all the threats to information assets, the vulnerabilities that exist within those assets, and the strength of the controls protecting that information; that’s a key to prioritizing risk response activities and minimizing the likelihood and impact of a breach. In addition to identifying gaps in security programs, a risk analysis will demonstrate, in the case of a reportable breach, an organization’s diligent efforts to comply with regulations and protect sensitive information, reducing the potential penalties, Clearwater contends.
How to respond
Comprehensively protecting healthcare information may be viewed as a large investment, but as both OCR and state AGs are making clear, it is necessary. The cost of identifying and responding to risks is far less than that of the monetary penalties and the price of the irreparable reputational damage. This cost is in addition to the pain and distraction that occur from responding to civil lawsuits and actions by OCR and State AGs. Healthcare organizations should redouble efforts to strengthen their HIPAA compliance and cybersecurity programs.