As reported previously on this blog, the requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have continuously been bringing to light new breaches of PHI involving highly respected and sophisticated providers and insurers. With the authorization by HITECH of enforcement of HIPAA/HITECH violations by state attorneys general, direct intervention by attorneys general have been taking place.
Richard Blumenthal, the Attorney General of Connecticut and a candidate for U.S. Senate, has been especially prominent in his prompt launching of investigations of PHI security breaches affecting individuals in his state.
For example, on August 18, 2010, Yale School of Medicine reported that it had begun notifying approximately 1,000 individuals whose clinical health information was contained on a laptop computer that was stolen. On the heels of that disclosure, Attorney General Blumenthal announced, “My office has begun an investigation to identify the cause of the breach and assure ongoing protections for patients.”
One day later on August 19, 2010, ctwatchdog.com reported that Mr. Blumenthal had announced an investigation into another security breach, this time at the University of Connecticut where a laptop containing private financial information on 10,174 applicants was stolen.
These new disclosures by Mr. Blumenthal are only the latest in his parade of investigations of PHI security breaches. The enactment of HITECH gave state attorneys general the ability to enforce PHI security breaches under HIPAA for the first time.
Under HITECH, state attorneys general are authorized to bring civil suits in federal district court as parens patriae (on behalf of state residents) if they believe their residents are threatened or adversely affected by HIPAA violations. The attorneys general can sue for injunctive relief and/or damages and attorney fees. Moreover, HIPAA/HITECH does not prevent a state attorney general from exercising powers under state law respecting PHI security breaches.
In July 2010 Mr. Blumenthal distinguished himself in an earlier case by successfully recovering for Connecticut the first state settlement under HIPAA/HITECH with healthcare insurer HealthNet and its affiliates in an amount of $250,000 for alleged health data security breaches. Mr. Blumenthal had charged HealthNet with failing in May 2009 (i) to protect properly private patient medical records and financial information on nearly 500,000 Connecticut enrollees and (ii) to promptly notify consumers endangered by the breach.
The actions, visibility and financial success from Mr. Blumenthal’s numerous PHI security breach investigations in Connecticut are likely to stir other attorneys general around the country to follow suit. These actions can be very disruptive for providers and insurers who suffer a PHI security breach even if no settlement payment is necessary.
For example, HIPAA/HITECH gives such providers and insurers up to 60 days for internal investigation before requiring a report to the U.S. Department of Health and Human Services and public disclosure respecting a PHI breach involving 500 or more individuals. However, early publicity by an attorney general prior to the passing of the 60-day period may force a public statement by a provider or insurer before it has completed its own internal investigation and prepared an orderly public disclosure and response. Prompt, decisive and proactive action will be required of such a provider or insurer to maximize damage control and rehabilitate relations with clients and the public in advance of the expiration of the 60-day HIPAA/HITECH period.