Hartford Hospital, EMC Corp. Fined for HIPAA Violations
Connecticut Attorney General George Jepsen has levied a fine totaling $90,000 against Hartford Hospital and information technology vendor EMC Corp. for violation of HIPAA privacy and security rules.
Connecticut Attorney General George Jepsen has levied a fine totaling $90,000 against Hartford Hospital and information technology vendor EMC Corp. for violation of HIPAA privacy and security rules.
The Connecticut action is a reminder to healthcare industry stakeholders that state AGs have authority to enforce HIPAA, and several are doing so.
The disciplinary action comes after an unencrypted laptop containing protected health information on nearly 8,900 Connecticut residents was stolen from the home of an EMC employee in June 2012.
EMC was a business associate to Hartford Hospital, engaged in analyzing patient data to reduce avoidable admissions of patients with congestive heart failure. After EMC notified Hartford Hospital of the theft, the facility realized it had not entered into a business associate agreement with the vendor, according to the AG office. The hospital contacted patients whose information was contained on the laptop, and it offered them credit and identity theft services from AllClear ID.
In addition to each contributing to pay the fine, both organizations also entered into agreements to enhance the security of protected health information. Hartford Hospital, for instance, will encrypt files or data containing PHI before it transmits or transfers such information, a statement from the attorney general’s office said.
After the incident, Hartford implemented multiple security improvements, including a process to determine when a BAA is required; new checklists and questionnaires for determining if a potential vendor meets certain privacy and security controls; annual mandated training; and contract revisions that incorporate HIPAA-required business associate provisions into contracts, among others.
EMC has agreed to “maintain reasonable policies requiring the encryption of all PHI stored on laptops or other portable devices and transmitted across wireless or public networks and to maintain reasonable policies for employees relating to the storage, access and transfer of PHI outside of EMC premises,” according to the AG statement.
Former Connecticut Attorney General Richard Blumenthal, now a United States Senator, also targeted healthcare organizations following breaches. Blumenthal sued insurer Health Net for failure to disclose a large 2009 breach in a timely manner with the settlement calling for a $250,000 fine and a state approved action plan. Then, the Connecticut Insurance Department used its state authority to fine Health Net of Connecticut $375,000.
Also See: State AGs Ask Congress Not to Preempt Breach Notification Laws
Former Massachusetts Attorney General Martha Coakely was particularly active in taking HIPAA enforcement action against covered entities. Beth Israel Deaconess Medical Center paid a $100,000 fine after a physician’s laptop was stolen, South Shore Hospital paid fines totaling $750,000 but with $275,000 credited for investments to improve security, Boston Children’s Hospital paid $40,000 following the theft of an unencrypted laptop, and four pathology practices were fined a total of $140,000 for dumping patient records at a recycling station.
Responding to a request from HDM, Hartford Hospital issued the following comment on the recent action taken by Connecticut AG Jepsen:
“We treat all matters related to patient privacy and confidentiality with the utmost seriousness. After the incident occurred in 2012, Hartford Hospital put into place several educational and procedural changes. These include remedial education, new policies, operational checklists, enhanced mandatory compliance training, more robust training modules regarding privacy, new contract templates and additional contracting procedures.
“Hartford Hospital has entered into a voluntary resolution with the Attorney General’s office to address the issue: the theft of a laptop computer from a consultant who was working for Hartford Hospital in 2012. The stolen laptop contained protected health information of about 8,883 patients. There is no evidence that any of the information has been misused. As the Attorney General’s agreement shows, back in 2012, Hartford Hospital appropriately notified the patients affected, the Attorney General’s office and the media of the theft of the laptop.”
Upon request, EMC Corporation also released the following statement on the settlement:
“EMC has fully cooperated with the Connecticut Attorney General's office during its review of this matter. While EMC believes it did not violate any laws, resolving things by agreement was the best course for all involved. EMC remains fully committed to the privacy and data security of all customers with which it deals.”
The Connecticut action is a reminder to healthcare industry stakeholders that state AGs have authority to enforce HIPAA, and several are doing so.
The disciplinary action comes after an unencrypted laptop containing protected health information on nearly 8,900 Connecticut residents was stolen from the home of an EMC employee in June 2012.
EMC was a business associate to Hartford Hospital, engaged in analyzing patient data to reduce avoidable admissions of patients with congestive heart failure. After EMC notified Hartford Hospital of the theft, the facility realized it had not entered into a business associate agreement with the vendor, according to the AG office. The hospital contacted patients whose information was contained on the laptop, and it offered them credit and identity theft services from AllClear ID.
In addition to each contributing to pay the fine, both organizations also entered into agreements to enhance the security of protected health information. Hartford Hospital, for instance, will encrypt files or data containing PHI before it transmits or transfers such information, a statement from the attorney general’s office said.
After the incident, Hartford implemented multiple security improvements, including a process to determine when a BAA is required; new checklists and questionnaires for determining if a potential vendor meets certain privacy and security controls; annual mandated training; and contract revisions that incorporate HIPAA-required business associate provisions into contracts, among others.
EMC has agreed to “maintain reasonable policies requiring the encryption of all PHI stored on laptops or other portable devices and transmitted across wireless or public networks and to maintain reasonable policies for employees relating to the storage, access and transfer of PHI outside of EMC premises,” according to the AG statement.
Former Connecticut Attorney General Richard Blumenthal, now a United States Senator, also targeted healthcare organizations following breaches. Blumenthal sued insurer Health Net for failure to disclose a large 2009 breach in a timely manner with the settlement calling for a $250,000 fine and a state approved action plan. Then, the Connecticut Insurance Department used its state authority to fine Health Net of Connecticut $375,000.
Also See: State AGs Ask Congress Not to Preempt Breach Notification Laws
Former Massachusetts Attorney General Martha Coakely was particularly active in taking HIPAA enforcement action against covered entities. Beth Israel Deaconess Medical Center paid a $100,000 fine after a physician’s laptop was stolen, South Shore Hospital paid fines totaling $750,000 but with $275,000 credited for investments to improve security, Boston Children’s Hospital paid $40,000 following the theft of an unencrypted laptop, and four pathology practices were fined a total of $140,000 for dumping patient records at a recycling station.
Responding to a request from HDM, Hartford Hospital issued the following comment on the recent action taken by Connecticut AG Jepsen:
“We treat all matters related to patient privacy and confidentiality with the utmost seriousness. After the incident occurred in 2012, Hartford Hospital put into place several educational and procedural changes. These include remedial education, new policies, operational checklists, enhanced mandatory compliance training, more robust training modules regarding privacy, new contract templates and additional contracting procedures.
“Hartford Hospital has entered into a voluntary resolution with the Attorney General’s office to address the issue: the theft of a laptop computer from a consultant who was working for Hartford Hospital in 2012. The stolen laptop contained protected health information of about 8,883 patients. There is no evidence that any of the information has been misused. As the Attorney General’s agreement shows, back in 2012, Hartford Hospital appropriately notified the patients affected, the Attorney General’s office and the media of the theft of the laptop.”
Upon request, EMC Corporation also released the following statement on the settlement:
“EMC has fully cooperated with the Connecticut Attorney General's office during its review of this matter. While EMC believes it did not violate any laws, resolving things by agreement was the best course for all involved. EMC remains fully committed to the privacy and data security of all customers with which it deals.”
More for you
Loading data for hdm_tax_topic #better-outcomes...