State Fines Hospital, EMC After BreachSettlement Calls for Improving HIPAA Compliance
Hartford (Conn.) Hospital and its business associate, EMC Corp., have agreed to pay $90,000 as part of a "voluntary compliance assurance" agreement with Connecticut's attorney general related to a 2012 health data breach. The incident, involving a stolen unencrypted laptop, affected nearly 9,000 individuals.
In addition to paying the financial settlement, both the hospital and EMC have agreed to take a number of corrective actions to improve their HIPAA compliance, according to a statement from Connecticut Attorney General George Jespen.
The HITECH Act of 2009 gave state attorneys general the authority to bring civil actions on behalf of state residents for violations of the HIPAA privacy and security rules. But such actions have been quite rare, with the attorney general in Massachusetts being one of the most active.
Most states lack resources to aggressively enforce HIPAA, Shannon Choy-Seymour, an assistant attorney general in the healthcare division of the Massachusetts attorney general's office, said during a recent presentation. "A lot of state AGs don't have healthcare protection divisions. But in talking with other AGs, there is renewed interest in this area."
The recent case in Connecticut should put covered entities and business associates on alert about potential state legal action, says independent HIPAA attorney Susan Miller. CEs and BAs also should be aware that some states courts are also permitting injured parties to bring breach-related lawsuits "that declare that the HIPAA law and regulations are a 'standard of care' that a CE or BA did not keep," she notes.
Responsibilities Under HIPAA
In a statement about the Connecticut settlement, Jepsen notes: "The responsibilities of those who maintain and use personal information under HIPAA and Connecticut's privacy laws are clear and are appropriately intended to protect the privacy of the patients. All healthcare providers and any contractors who work with healthcare providers should pay close attention to these responsibilities and review their internal controls and policies to ensure that they're doing all they possibly can to comply with the law and to keep this information safe."
Under the agreement, Hartford Hospital has taken a number of steps focused on HIPAA requirements related to its business associate agreements with vendors. Meanwhile, EMC has agreed to maintain "reasonable policies" requiring the encryption of all protected health information stored on laptops or other portable devices and transmitted across wireless or public networks.
The agreement also calls for EMC "to maintain reasonable policies for employees relating to the storage, access and transfer of PHI outside of EMC premises, as well as provide training to those employees responsible for handling or using PHI and maintain policies for responding to events involving unauthorized acquisition, access, use or disclosure of PHI.
The settlement stems from an investigation by the state attorney general into the June 2012 theft of an unencrypted laptop from the home of an employee of a company that EMC had previously acquired, Greenplum.
At the time of the theft, the EMC subsidiary was performing data analysis as part of a quality improvement project related to hospital readmissions of congestive heart failure patients, according to the voluntary compliance assurance agreement .
The attorney general's statement indicates that the stolen laptop, which was never recovered, contained unencrypted PHI of approximately 8,883 Connecticut residents.
Information on the stolen computer included names, addresses, dates of birth, marital status, Social Security numbers, Medicaid and Medicare numbers, medical record numbers and certain diagnosis and treatment information, according to a statement Hartford Hospital issued in 2012.
The settlement agreement says there is no evidence that any of the information contained on the stolen device has been misused.
Business Associate Agreements
The settlement document also notes that when EMC notified Hartford Hospital of the theft, the hospital determined that it had not entered into a business associate agreement with EMC, a requirement under HIPAA.
As part of the settlement, Hartford Hospital says it has taken a number of steps focused on its BAAs. That includes developing a flowchart to assist business managers in determining when a BAA is required; developing and implementing an IT contract checklist and a questionnaire to assist IT business managers in identifying the types of PHI to be shared with a vendor and the appropriate privacy and security controls to be implemented by BAs handling PHI; and developing training modules for business managers dealing with BAs.
Neither Connecticut state attorney general's office nor Hartford Hospital immediately respond to Information Security Media Group's request for comment.
An EMC spokeswoman tells ISMG, "While EMC believes it did not violate any laws, resolving things by agreement was the best course for all involved. EMC remains fully committed to the privacy and data security of all customers with which it deals."
EMC declined to comment on how the $90,000 payment to Connecticut's state AG was being divided between EMC and Hartford Hospital.
Other State Actions
Former Connecticut Attorney General Richard Blumenthal in July 2010 reached a settlement with health insurer Health Net to pay $250,000 and implement a corrective action plan in a HIPAA breach case that impacted 1.9 million individuals and involved nine lost unencrypted server drives . That case marked the first time a state attorney general filed a HIPAA civil lawsuit, as enabled by the HITECH Act. Since then, Connecticut's AG office has reached HIPAA settlements in "fewer than 10" cases, a spokesman in the state's AG office says.
Since the HITECH Act was enacted, Massachusetts apparently has led the way in taking HIPAA-related enforcement actions. The largest settlement so far was a 2012 settlement with South Shore Hospital, which agreed to pay $750,000 to resolve allegations that it failed to protect the information of more than 800,000 consumers in a data breach reported in 2010 involving 473 lost unencrypted back-up tapes.
Other more recent Massachusetts AG actions include a $150,000 settlement with Women and Infants Hospital of Rhode Island; a $100,000 settlement with Beth Israel Deaconess Medical Center in Boston; and a $40,000 settlement with Boston Children's Hospital.
Privacy and security attorney Kirk Nahra of the law firm Wiley Rein says that aside from Massachusetts and Connecticut, most states have not pursued HIPAA enforcement cases.
"We have not seen very many HIPAA settlements by state AGs, even though they have very broad authority in many situations. Each time there is one, I think other folks will jump on board, but that hasn't really happened yet. I can't really explain why they haven't done more, particularly since there have been plenty of potential cases."
Also, state attorney general cases against business associates remain rare, and no HIPAA cases against BAs by the federal agency responsible for HIPAA enforcement - the Department of Health and Human Services' Office for Civil Rights - have been revealed so far, he notes.
However, that trend could change in coming months, Nahra predicts. "I would expect to see a BA enforcement [by OCR] in 2016."