The Parade of PHI Security Breaches - Providers and Insurers Beware of Attorney General Richard Blumenthal and Other Attorneys General
As reported previously on this blog, the requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have continuously been bringing to light new breaches of PHI involving highly respected and sophisticated providers and insurers. With the authorization by HITECH of enforcement of HIPAA/HITECH violations by state attorneys general, direct intervention by attorneys general have been taking place.
For example, on August 18, 2010, Yale School of Medicine reported that it had begun notifying approximately 1,000 individuals whose clinical health information was contained on a laptop computer that was stolen. On the heels of that disclosure,
One day later on August 19, 2010, ctwatchdog.com reported that
These new disclosures by
Under HITECH, state attorneys general are authorized to bring civil suits in federal district court as parens patriae (on behalf of state residents) if they believe their residents are threatened or adversely affected by HIPAA violations. The attorneys general can sue for injunctive relief and/or damages and attorney fees. Moreover, HIPAA/HITECH does not prevent a state attorney general from exercising powers under state law respecting PHI security breaches.
In July 2010
The actions, visibility and financial success from
For example, HIPAA/HITECH gives such providers and insurers up to 60 days for internal investigation before requiring a report to the U.S. Department of Health and Human Services and public disclosure respecting a PHI breach involving 500 or more individuals. However, early publicity by an attorney general prior to the passing of the 60-day period may force a public statement by a provider or insurer before it has completed its own internal investigation and prepared an orderly public disclosure and response. Prompt, decisive and proactive action will be required of such a provider or insurer to maximize damage control and rehabilitate relations with clients and the public in advance of the expiration of the 60-day HIPAA/HITECH period.