Posted on September 5, 2010 by Michael Kline

The Parade of PHI Security Breaches - Providers and Insurers Beware of Attorney General Richard Blumenthal and Other Attorneys General

As reported previously on this blog, the requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have continuously been bringing to light new breaches of PHI involving highly respected and sophisticated providers and insurers.  With the authorization by HITECH of enforcement of HIPAA/HITECH violations by state attorneys general, direct intervention by attorneys general have been taking place. 

Richard Blumenthal, the Attorney General of Connecticut and a candidate for U.S. Senate, has been especially prominent in his prompt launching of investigations of PHI security breaches affecting individuals in his state. 

For example, on August 18, 2010, Yale School of Medicine reported that it had begun notifying approximately 1,000 individuals whose clinical health information was contained on a laptop computer that was stolen.  On the heels of that disclosure, Attorney General Blumenthal announced, “My office has begun an investigation to identify the cause of the breach and assure ongoing protections for patients.”

One day later on August 19, 2010, ctwatchdog.com reported that Mr. Blumenthal had announced an investigation into another security breach, this time at the University of Connecticut where a laptop containing private financial information on 10,174 applicants was stolen.

These new disclosures by Mr. Blumenthal are only the latest in his parade of investigations of PHI security breaches.  The enactment of HITECH gave state attorneys general the ability to enforce PHI security breaches under HIPAA for the first time.   

Under HITECH, state attorneys general are authorized to bring civil suits in federal district court as parens patriae (on behalf of state residents) if they believe their residents are threatened or adversely affected by HIPAA violations.  The attorneys general can sue for injunctive relief and/or damages and attorney fees.  Moreover, HIPAA/HITECH does not prevent a state attorney general from exercising powers under state law respecting PHI security breaches.

 

In July 2010 Mr. Blumenthal distinguished himself in an earlier case by successfully recovering for Connecticut the first state settlement under HIPAA/HITECH with healthcare insurer HealthNet and its affiliates in an amount of $250,000 for alleged health data security breaches.  Mr. Blumenthal had charged HealthNet with failing in May 2009 (i) to protect properly private patient medical records and financial information on nearly 500,000 Connecticut enrollees and (ii) to promptly notify consumers endangered by the breach.

 

The actions, visibility and financial success from Mr. Blumenthal’s numerous PHI security breach investigations in Connecticut are likely to stir other attorneys general around the country to follow suit.  These actions can be very disruptive for providers and insurers who suffer a PHI security breach even if no settlement payment is necessary. 

 

For example, HIPAA/HITECH gives such providers and insurers up to 60 days for internal investigation before requiring a report to the U.S. Department of Health and Human Services and public disclosure respecting a PHI breach involving 500 or more individuals.  However, early publicity by an attorney general prior to the passing of the 60-day period may force a public statement by a provider or insurer before it has completed its own internal investigation and prepared an orderly public disclosure and response.  Prompt, decisive and proactive action will be required of such a provider or insurer to maximize damage control and rehabilitate relations with clients and the public in advance of the expiration of the 60-day HIPAA/HITECH period.

 

Tags: , , , , ,
Posted on August 27, 2010 by William Maruca

CMS Answers Frequently Asked Questions Regarding Electronic Health Record Incentives

by Todd Rodriguez, Esquire

In July, the Centers for Medicare and Medicaid Services (CMS) released the much-anticipated final regulations that providers are required to meet in order to receive the Medicare incentives for adoption of a certified electronic health record system. In those regulations, In the final rule, CMS set forth 15 core elements which must be met in order to qualify for “meaningful use” of the EHR system.

Notwithstanding the regulations, the requirements are complex and many physicians and other providers have a host of questions regarding both the regulations and the incentive program. To address some of these questions, CMS has issued a number of Frequently Asked Questions (FAQs) on its website. To review the new EHR FAQs, physicians can click here and type the term “EHR” into the search window.

Crossposted from Fox Rothschild's Physician Law blog.

 

Tags: , ,
Posted on August 15, 2010 by Michael Kline

The Ever-Lengthening Parade of PHI Security Breaches - The New Paper Chase of Four Massachusetts Community Hospitals

 

 

This blog has been reporting on the effects on providers, insurers and others of the HIPAA/HITECH statutes and regulations that require public disclosure of breaches of unsecured Protected Health Information ("PHI"). While the greatest attention under HIPAA/HITECH has been on electronic health records ("EHR"), the increasing inventory of billions of hard copy pages of paper health records containing PHI ("Paper HR") is a continuing material hazard for providers and insurers and their respective business associates and subcontractors. 

Because a large Paper HR security breach involves a bulk mass of paper, it generally may impact only a fraction of the number of individuals that can be affected by a typical EHR security breach. Nonetheless, the vigilance necessary to prevent a Paper HR security breach must be at a high level. Even where the proper measures appear to be in place, a PHI security breach may occur, giving rise to costs of notifying affected individuals and potential collateral damage. 

Liz Kowalczyk identified a case in point in her article  on August 13, 2010 in The Boston Globe.  She reported that four Massachusetts community hospitals were investigating how thousands of patient health records, some containing Social Security numbers and sensitive medical diagnoses in addition to "patients’ names, addresses, and results of breast, bone, and skin cancer tests, as well as the results of lab work following miscarriages" ended up in a pile at a public dump.

The Kowalczyk article stated that one of the four hospitals believes that records of 8,000 to 12,000 patients may have been affected and another of the hospitals believes that records of 16,000 to 24,000 patients may have been affected. Ms. Kowalczyk explained that a major issue to be sorted out is who is responsible for the improper disposal of Paper HR, thereby imposing on that person, as required by HITECH,  the obligation to notify all individuals who may have suffered a compromise of their PHI.

It should be noted that there can be other substantial collateral damage in the aftermath of a PHI security breach for responsible parties, including heavy penalties and potential damages.

If the number of affected patients reported in the Kowalczyk article proves to be correct, this event would rank among the largest reported PHI security breaches involving Paper HR. As required by section 13402(e)(4) of the HITECH Act, the Secretary of the U.S. Department of Health and Human Services has posted a list (the "HHS List") of all reported breaches of unsecured PHI affecting 500 or more individuals ("Large Breaches").

As of August 14, 2010, there were 108 separate postings of Large Breaches on the HHS List for events dating back to September 22, 2009.  Of this number, 22 postings were listed that related to Paper HR and impacted an aggregate of approximately 76,000 individuals.  Three of the Paper HR postings were identified as breaches involving "improper disposal."

The largest single posting on the HHS List respecting Paper HR was an event on January 26, 2010 that was reported for UnitedHealth Group and affected 16,291 individuals. Therefore, the potential PHI security breaches reported in the Kowalczyk article appear to affect collectively far more individuals than any single Paper HR event that is on the HHS List as of August 14, 2010.

If individual Paper HR security breach events are compared in magnitude to EHR events, however, as of August 14, 2010, there were eleven separate postings on the HHS List reported for PHI breaches that involved EHR and affected individuals ranging between 40,000 and 1,220,000 in number.  Therefore, the risks of large security breaches of PHI appear to be most significant for EHR.  However, as this blog has observed earlier, the public disclosures required by HIPAA/HITECH for a security breach respecting PHI often bring embarrassment, criticism and diminished reputation that may actually overshadow the significant legal costs and statutory consequences of the breach itself.

To this end, there must be heightened efforts to avoid PHI security breaches for both Paper HR and EHR.  In many cases breaches have occurred even if apparently reasonable policies, procedures and precautions have been established.  If they do occur, prompt, decisive and proactive action is required to maximize damage control and rehabilitate relations with clients and the public.

 

 

 

Tags: , , , , , ,
Posted on July 30, 2010 by Michael Kline

PHI: The Parade of Security Breaches Continues to Lengthen with the Addition of Thomas Jefferson University Hospital

 

The requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have brought to light an increasing volume involving highly respected and sophisticated providers and insurers. It has often encouraged such providers and insurers to go well beyond the minimum legally required responses as a matter of redeeming client relations and public image.

Josh Goldstein wrote in the July 30, 2010 issue of The Philadelphia Inquirer (the “Inquirer”) that a laptop computer with unencrypted PHI on 21,000 patients was stolen from an office at Thomas Jefferson University Hospital (“TJUH”) in Philadelphia on June 14, 2010. According to Mr. Goldstein, “[t]he Jefferson records were for every patient admitted to the hospital from March 9 to June 9 and Aug[ust] 1 to November 1, 2008.” Additionally, the security breach was reported to have resulted from the copying of PHI by one employee onto a personal laptop in violation of TJUH policy.

To provide some support for those affected by the PHI breach, the Goldstein article stated that TJUH has offered a free year of identity monitoring, protection and remediation service (“Identity Protection Service”) to the potential victims. This offer of Identity Protection Service by TJUH is similar to proposals made by numerous other providers and insurers that have experienced PHI security breaches in the past. In expressing deep apology for the PHI mishap, TJUH president Thomas J. Lewis was reported to urge those whose PHI may have been compromised to activate the Identity Protection Service as soon as possible. 

As this blog has reported earlier, the public disclosures required by HIPAA/HITECH for security breaches respecting PHI often make providers and insurers vulnerable to embarrassment, criticism and diminished reputation that may actually overshadow the significant legal costs and statutory consequences of the breaches themselves. 

Additionally, TJUH and others that experience PHI breaches are required to report to, and are listed on, a permanent database which is readily accessible online and is operated by the federal Department of Health and Human Services. 

A final intangible but significant concern is that, as was the case in the Goldstein article, other providers in the same geographic region or areas of practice which suffered security breaches of PHI previously will see their past calamities revived as background and comparison for each new reported event. The effect may be repeated publishing of a single past PHI security breach.

To this end, providers and insurers must heighten their efforts to avoid PHI security breaches in the first place. It is clear, however, that even with the policies, policies and precautions instituted by highly respected institutions such as TJUH, the parade of PHI security breaches will continue to lengthen.  If such breaches do occur, prompt, decisive and proactive action such as that undertaken by TJUH is required to maximize damage control and rehabilitate relations with clients and the public.

Tags:
Posted on July 30, 2010 by Elizabeth Litten

Charity Care Matters for Hospital EHR Incentive Payments

The recently published final "meaningful use" regulations make it clear that hospitals must be careful in how they report charity care on their Medicare cost reports if they want to maximize their incentive payments for using EHR. The amount a hospital receives in EHR incentive payments is calculated based on the hospital's Medicare and Medicaid patient volume, calculated as a fraction of the hospital's total patient volume. The rule proposal failed to define key terms that are part of the calculation of the fractional share of the hospital's Medicare and Medicaid patient volume, including the term "charity care." The proposed final rule looks to the charity care amount reported in the hospital's Medicare cost report, despite the fact that this reported number likely did not have a significant impact on the hospital's Medicare reimbursement in the past.

As CMS explains in the preamble to the rule, "We believe that the charity care charges reported on line 20 of the pending final OMB approved Worksheet S-10 [Form CMS-2552-10, effective for cost reporting periods beginning on or after May 1, 2010] represent the most accurate measure of charity care charges as part of the hospital's overall reporting of uncompensated and indigent care for Medicare purposes... if a hospital has not properly reported any charity care charges on line 20, we may question the accuracy of the charges used for computing the final Medicare share of the [EHR] incentive payments."

CMS goes on to explain that charity care data can be obtained by the Medicare contractor, and the data "would be used to determine in the hospital's charity care criteria are appropriate, if a hospital should have reported charity care charges, and if the reported charges are proper. If we determine, as based on a determination of the MAC, that the hospital did not properly report charity care charges on line 20 of the pending final OMB approved Worksheet S-10, then we proposed to deem the [charity care] portion of the denominator ... to be 1." Instructions to draft Form CMS-2552-10 for Worksheet S-10 define "charity care" as "[h]ealth care services for which a hospital demonstrates that the patient is unable to pay ... [and] results from a hospital's policy to provide all or a portion of services free of charge to patients who meet certain financial criteria." Conversely, "non-Medicare bad debt" is defined as "[h]ealth care services for which a hospital determines the non-Medicare patient has the financial capacity to pay, but the non-Medicare patient is unwilling to settle the claim."

CMS makes it clear that just as Medicare contractors currently determine whether a hospital's indigency policies (for example, how a provider determines that a non-Medicaid patient is indigent or medically indigent and that the patient's financial condition is not likely to improve following an asset/income test of patient resources) are appropriate for determining allowable Medicare bad debt, the Medicare contractor can similarly determine whether the hospital's policies are sufficient for determination of charity care information used in the EHR incentive payment calculation.

In short, a hospital seeking EHR incentive payments must closely examine not just the accuracy of reported charity care and non-Medicare bad debt data included on its Medicare cost report, but must ensure it is actually undertaking a review of patients' ability to pay for services. Failure to document the proportion of uncompensated care that qualifies as "charity care" may result in a decrease in EHR incentive dollars.

Tags: , , , ,
Posted on July 27, 2010 by William Maruca

Rite Aid settles HIPAA Claims for $1 Million

In a press release dated July 27, 2010, the Department of Health and Human Services announced a settlment under which Rite Aid Corporation and its affiliates have agreed to pay $1 million to settle potential HIPAA violations.   The pharmacy chain also entered into a consent order with the Federal Trade Commission.

HHS reports that the investigation was triggered by television media videotaped incidents in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public.  Rite Aid stores were among the pharmacies shown in the videos.

Under the HHS resolution agreement, in addition to the $Million restitution payment, Rite Aid must implement a three-year corrective action program that includes:

  • Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
  • Training workforce members on these new requirements;
  • Conducting internal monitoring; and
  • Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.

The HHS Resolution Agreement and Corrective Action Plan can be found on the OCR Website here.

Tags: ,
Posted on July 15, 2010 by William Maruca

Meaningful Use At A Glance

The following is a chart summarizing the 15 "core" objectives which must be met, the menu from which 5 additional objectives must be selected, and the standards by which achievement of these objectives will be measured in order to qualify for EHR funding under the HITECH Act based on the final rules published on July 13, 2010:

 

OBJECTIVE

MEASURE

Core set:
  1. Record patient demographics (sex, race, ethnicity, date of birth, preferred language, and in the case of hospitals, date and preliminary cause of death in the event of mortality)

More than 50% of patients’ demographic data recorded as structured data
  1. Record vital signs and chart changes (height, weight, blood pressure, body-mass index, growth charts for children)

More than 50% of patients 2 years of age or older have height, weight, and blood pressure recorded as structured data
  1. Maintain up-to-date problem list of current and active diagnoses

More than 80% of patients have at least one entry recorded as structured data
  1. Maintain active medication list

More than 80% of patients have at least one entry recorded as structured data
  1. Maintain active medication allergy

More than 80% of patients have at least one entry recorded as structured data
  1. Record smoking status for patients 13 years of age or older

More than 50% of patients 13 years of age or older have smoking status recorded as structured data
  1. For individual professionals, provide patients with clinical summaries for each office visit; for hospitals, provide an electronic copy of hospital discharge instructions on request

Clinical summaries provided to patients for more than 50% of all office visits within 3 business days; more than 50% of all patients who are discharged from the inpatient department or emergency

department of an eligible hospital or critical access hospital and who request an electronic copy of their discharge instructions are provided with it
  1. On request, provide patients with an electronic copy of their health information (including diagnostic test results, problem list, medication lists, medication allergies, and for hospitals, discharge summary and procedures)

More than 50% of requesting patients receive electronic copy within 3 business days
  1. Generate and transmit permissible prescriptions electronically (does not apply to hospitals)

More than 40% are transmitted electronically using certified EHR technology
  1. Computer provider order entry (CPOE) for medication orders

More than 30% of patients with at least one medication in their medication list have at least one medication ordered through CPOE
  1. Implement drug–drug and drug–allergy interaction checks

Functionality is enabled for these checks for the entire reporting period
  1. Implement capability to electronically exchange key clinical information among providers and patient-authorized entities

Perform at least one test of EHR’s capacity to electronically exchange information
  1. Implement one clinical decision support rule and ability to track compliance with the rule

One clinical decision support rule implemented
  1. Implement systems to protect privacy and security of patient data in the EHR

Conduct or review a security risk analysis, implement security updates as necessary, and correct identified security deficiencies
  1. Report clinical quality measures to CMS or states

For 2011, provide aggregate numerator and denominator through attestation; for 2012, electronically submit measures
 

Menu Set (implement 5 out of 10)
  1. Implement drug formulary checks

Drug formulary check system is implemented and has access to at least one internal or external drug formulary for the entire reporting period
  1. Incorporate clinical laboratory test results into EHRs as structured data

More than 40% of clinical laboratory test results whose results are in positive/negative or numerical format are incorporated into EHRs as structured data
  1. Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research, or outreach

Generate at least one listing of patients with a specific condition
  1. Use EHR technology to identify patient-specific education resources and provide those to the patient as appropriate

More than 10% of patients are provided patient-specific education resources
  1. Perform medication reconciliation between care settings

Medication reconciliation is performed for more than 50% of transitions of care
  1. Provide summary of care record for patients referred or transitioned to another provider or setting

Summary of care record is provided for more than 50% of patient transitions or referrals
  1. Submit electronic immunization data to immunization registries or immunization information systems

Perform at least one test of data submission and follow-up submission (where registries can accept electronic submissions)
  1. Submit electronic syndromic surveillance data to public health agencies

Perform at least one test of data submission and follow-up submission (where public health agencies can accept electronic data)
 

Additional choices for hospitals and critical access hospitals:
  1. Record advance directives for patients 65 years of age or older

More than 50% of patients 65 years of age or older have an indication of an advance directive status recorded
  1. Submit of electronic data on reportable laboratory results to public health agencies

Perform at least one test of data submission and follow-up submission (where public health agencies can accept electronic

data)
 

Additional choices for eligible professionals:
  1. Send reminders to patients (per patient preference) for preventive and follow-up care

More than 20% or patients 65 years of age or older or 5 years of age or younger are sent appropriate reminders
  1. Provide patients with timely electronic access to their health information (including laboratory results, problem list, medication lists, medication allergies)

More than 10% of patients are provided electronic access to information within 4 days of its being updated in the EHR
Source: New England Journal of Medicine http://healthcarereform.nejm.org/?p=3732&query=OF

Tags: , ,
Posted on July 14, 2010 by William Maruca

Final "Meaningful Use" Criteria for EHR Subsidies Released

On July 13, 2010, the Department of Health and Human Services released a pair of final regulations (one from CMS, one from the Office of National Coordinator for HIT ) detailing the “meaningful use” criteria which will determine whether users of electronic health records will qualify for the government subsidies under the HITECH Act during the first two years of the program (2011-2012). The final rule modified the agency’s January 16, 2010 proposed rule and addressed issues raised in the over 2000 comments that proposal drew. The HITECH Act provides EHR funding over 5 years of up to $44,000 (through Medicare) and $63,750 (through Medicaid) per qualifying physician or other clinician, as well as additional funding for qualifying hospitals.

The agency responded to the numerous complaints that its earlier, all-or-nothing approach mandating 25 objectives (23 for hospitals) was unrealistic. Instead, the final proposal requires 15 “core” objectives and a menu of additional objectives EHR users can choose from to qualify for the financial help.

 

The New England Journal Of Medicine published a summary article by HHS insiders David Blumenthal, M.D., M.P.P., national coordinator for HIT, and Marilyn Tavenner, R.N., M.H.A., principal deputy administrator of CMS. They noted:

 

“In the original proposal, we identified a broad set of objectives, all of which would need to be met. This included 23 objectives for hospitals and 25 for clinicians. The DHHS received many comments that this approach was too demanding and inflexible, an all-or-nothing test that too few providers would be likely to pass.  In the final regulation, we have divided these elements into two groups: a set of core objectives that constitute an essential starting point for meaningful use of EHRs and a separate menu of additional important activities from which providers will choose several to implement in the first 2 years.

. . .

 

Core objectives comprise basic functions that enable EHRs to support improved health care. As a start, these include the tasks essential to creating any medical record, including the entry of basic data: patients’ vital signs and demographics, active medications and allergies, up-to-date problem lists of current and active diagnoses, and smoking status.

 

Other core objectives include using several software applications that begin to realize the true potential of EHRs to improve the safety, quality, and efficiency of care. These features help clinicians to make better clinical decisions — and avoid preventable errors. To qualify for incentive payments, clinicians must start employing such clinical decision support tools. They must also start using the capability that undergirds much of the value of EHRs: using records to enter clinical orders and, in particular, medication prescriptions. Only when providers enter orders electronically can the computer help improve decisions by applying clinical logic to those choices in light of all the recorded patient data. And to begin extending the benefits of EHRs to patients themselves, the meaningful use requirements will include providing patients with electronic versions of their health information.

 

In addition to the core elements, the rule creates a second group: a menu of 10 additional tasks, from which providers can choose any 5 to implement in 2011–2012. This gives providers latitude to pick their own path toward full EHR implementation and meaningful use.

 

For example, the menu includes capacities to perform drug-formulary checks, incorporate clinical laboratory results into EHRs, provide reminders to patients for needed care, identify and provide patient-specific health education resources, and employ EHRs to support the patient’s transitions between care settings or personnel.”

 

The AMA issued a press release which stated the association’s intent to carefully review the final rule to see if the requirements have been reduced to allow more flexibility than the proposed rule, as AMA urged. Noting that the looming cuts under the physician fee schedule have not yet been permanently fixed, the AMA said:

 

“Physicians recognize the potential for health IT and want to adopt new technologies, but costly EHR systems are out of reach for many physicians because of low Medicare payments and the prospect of steep cuts in December. Congress needs to repeal the flawed Medicare physician payment formula to help eliminate one major obstacle to physician adoption of new technologies.”

 

It may be an uphill battle to drag the healthcare industry into the 21st century. The New York Times quoted HHS Secretary Kathleen Sebelius’ concern that "only 20 percent of doctors and 10 percent of hospitals use even basic electronic health records.”

 

The rule will be published in the Federal Register in the near future. An advance copy is available at http://www.ofr.gov/OFRUpload/OFRData/2010-17207_PI.pdf  and http://www.ofr.gov/OFRUpload/OFRData/2010-17210_PI.pdf 

 

HHS Fact Sheets are here: Electronic Health Records At A Glance; and CMS and ONC Final Regulations Define Meaningful Use And Set Standards For Electronic Health Record Incentive Program. The HHS press release is here. A technical fact sheet on ONC’s standards and certification criteria final rule is available at http://healthit.hhs.gov/standardsandcertification

Tags: , , ,
Posted on July 9, 2010 by Elizabeth Litten

Proposed HITECH Regulations Require Business Associates to Police Subcontractors Receiving PHI

 

On Thursday, July 8, 2010, the Department of Health and Human Services (HHS) announced proposed modifications to the HIPAA Privacy & Security Rules implementing the HITECH Act.  The proposed modifications include new requirements on business associates with regard to their subcontractors.  

The Office for Civil Rights (OCR) within HHS proposes to include in the definition of “business associate” in § 160.103 subcontractors that create, receive, maintain, or transmit protected health information on behalf of a business associate. OCR specifies that it does not intend this proposed modification to mean that a covered entity is required to have a contract with the subcontractor. Rather, the “obligation is to remain with the business associate who contracts with the subcontractor.” In § 164.308(b)(2), OCR proposes “to make clear that it is the business associate that must obtain the required satisfactory assurances from the subcontractor to protect the security of electronic protected health information.”  

The proposed rule casts business associates into a much more active role, requiring them to enter into business associate agreements (BAAs) with their subcontractors. In effect, business associates would be expected to act as though they are covered entities in terms of identifying when protected health information (PHI) is transmitted to third parties and policing the privacy and security of PHI whenever it flows downstream or outside the business associate workforce.

Because a covered entity with which a business associate has contracted still has an ultimate responsibility for the privacy and security of the PHI of its patients or clients, existing BAAs may require further review and amendments to protect the covered entity sufficiently should this rule be adopted.

Tags:
Posted on July 9, 2010 by William Maruca

A First: Connecticut AG Settles With Health Net Over Breach For $250,000

In the first settlement of a HIPAA enforcement action brought by a state attorney general under the new authority granted by the HITECH Act, Connecticut Attorney General Richard Blumenthal announced that the state had entered into an agreement with Health Net for failing to secure patient health and financial information.  The AG had brought suit in January based on Health Net's loss of a hard drive containing over 500,000 individuals' records including clinical data, social security numbers, addresses, and other financial information. The company had concluded that the hard drive had been lost due to theft. Compounding the damage, the AG alleged that the company had delayed notifying the affected individuals for over six months.

The press release issued by the AG states:

  • Under this settlement, Health Net and its affiliates have agreed to:
    • A “Corrective Action Plan” in which Health Net is implementing several detailed measures to protect health information and other private data in compliance with HIPAA. This plan includes continued identity theft protection, improved systems controls, improved management and oversight structures, improved training and awareness for its employees, and improved incentives, monitoring, and reports.
    • A $250,000 payment to the state representing statutory damages. This payment is intended as a future deterrent to such conduct not only by Health Net, but by other insurers and health care entities that are entrusted with individuals’ private information.
    • An additional contingent payment to the state of $500,000, should it be established that the lost disk drive was accessed and personal information used illegally, impacting plan members.

The full settlement is here

 

Tags: , ,