State attorneys general are beginning to focus their attention on health care privacy laws under the authority granted to them by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and state consumer laws. On May 24, 2012, Massachusetts Attorney General Martha Coakley announced the filing of a final judgment with a licensed Massachusetts hospital (the “Hospital”), arising from violations of the Privacy and Security Rules under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). This is the third lawsuit and the largest settlement to date initiated by a state attorney general under HITECH for HIPAA violations.
This action arose out of the Hospital’s report to the Attorney General that a breach had occurred in July 2010. That breach arose when the Hospital sought to erase 473 unencrypted data tapes containing information on 800,000 individuals. The Hospital shipped the tapes to a Texas subcontractor in three boxes, but only one of the boxes arrived. Upon investigation, the Attorney General alleged that the Hospital had failed to adequately implement appropriate safeguards, policies and procedures to protect consumer information. In particular, the state found that the Hospital failed in its HIPAA compliance in the following ways:
- The Hospital did not implement appropriate safeguards, policies and procedures to protect consumer information.
- The Hospital did not execute an adequate business associate agreement with the data destruction contractor.
- The Hospital did not inform the data destruction contractor that the tapes contained protected health information (“PHI”).
As a result, the Massachusetts Attorney General and the Hospital reached a final consent agreement whereby the Hospital agreed to pay $750,000 and to perform several obligations in a variety of areas, as follows:
- Business Associate or Service Provider Agreements. The Hospital is required to develop a template Business Associate or Service Provider Agreement that requires the encryption and disposal of PHI. The agreement must require that the business associate report all data breaches to the Hospital so that the data breach can be reported to proper state and federal authorities.
- Certificates of Destruction. The Hospital is required to request certificates of destruction from the business associate or service provider upon the destruction of PHI within 90 days after the destruction was scheduled to have taken place, and to review the certificates of destruction.
- Workforce training. The Hospital is required to train its workforce at least once every 12 months on proper data security, including proper disposal of paper and electronic media containing PHI, and proper reporting of data security incidents. The Hospital must also provide written reminders once every 12 months to its employees with contracting authority regarding proper procedures for obtaining Business Associate or Service Provider Agreements with third parties.
- Audit. The Hospital must hire a third party to review and audit the Hospital’s data security and its agreements with data destruction services.
Under HITECH, state attorneys general have the authority to prosecute HIPAA violations on behalf of the residents of their respective states and impose monetary penalties. Additionally, most, if not all, states have consumer protection and data breach reporting laws that grant state attorneys general the authority to pursue privacy violations. In light of increasing activity in the area of privacy enforcement, health care providers and business associates should take the necessary steps to ensure their HIPAA compliance programs are effective to protect private information and avoid liability. As HIPAA enforcement increases, so too will the interest of states in investigating HIPAA violations.
Hall Render’s HIPAA Impact Series has provided in-depth analysis of HIPAA issues and developments since the passage of HITECH. Our HIPAA Impact Series may be accessed at www.hallrender.com/impact.
If you need additional information about HIPAA/HITECH, please contact Mark Swearingen at (317) 977-1458 or mswearingen@wp.hallrender.com or your regular Hall Render attorney.
Special thanks to Lea H. Lockhart, Law Clerk, for her assistance with the preparation of this installment of Hall Render’s HIPAA Impact Series.
