As reported previously on this blog series, the requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information ("PHI") have been bringing to light new breaches of PHI security and direct intervention by state attorneys general with respect to such breaches.
The enactment of HITECH gave state attorneys general the ability to enforce PHI security breaches under HIPAA for the first time in federal district court as parens patriae (on behalf of state residents) if they believe their residents are threatened or adversely affected by HIPAA violations. Nothing in HIPAA/HITECH prevents a state attorney general from exercising powers under state law respecting alleged PHI security breaches.
Earlier blog postings reported on (i) a settlement by the Attorney General of Connecticut (the "Connecticut Settlement") of a lawsuit brought under HIPAA/HITECH for $250,000 against Health Net, Inc., and (ii) more recently, a lawsuit filed under Indiana state law for $300,000 against Wellpoint, Inc. by the Attorney General of Indiana (collectively, the "Earlier Actions").
On January 18, 2011, Attorney General William Sorrell of Vermont and his office (collectively, the "Vermont Attorney General") announced in a press release (the "Press Release") that it had settled a lawsuit (the "Vermont Action"), by means of a consent decree which requires court approval, against Health Net, Inc., and Health Net of the Northeast, Inc. (collectively, "Health Net"). The Vermont Action involves a number of the same issues to which the Connecticut Settlement against Health Net related, including an alleged failure to promptly notify consumers endangered by the breach.
The settlement in the Vermont Action (the "Vermont Settlement") would require Health Net to pay $55,000 to Vermont, submit to a data-security audit, and file reports with Vermont regarding information security programs for the next two years. Presumably the lower settlement amount in Vermont is attributable to the fact that, as the Press Release stated, 525 Vermonters were affected by the alleged PHI security breach, which may be contrasted to nearly 500,000 Connecticut enrollees alleged to have been affected by the Connecticut Settlement.
Significantly, the Vermont Action, which was filed in the U.S. District Court for the District of Vermont, was, unlike the Earlier Actions, brought under both federal and state law in one lawsuit that invoked HIPAA/HITECH, as well as the Vermont Security Breach Notice and Consumer Fraud Acts. The Press Release stated that the Vermont Settlement is "Vermont’s first enforcement action under the Security Breach Notice Act and the second HIPAA enforcement action of its kind since state attorneys general were given HIPAA enforcement authority in 2009."
So far, state attorneys general have limited their enforcement activity under HIPAA/HITECH to cases where alleged unreasonable and lengthy delays in notifying affected individuals by insurers were present. Insurers may be attractive targets because they are often perceived by the public to be large, highly profitable and relatively faceless entities. It will be interesting to see when the first lawsuit is filed by an attorney general against a provider, such as a physician practice group or community hospital, and what will be the basis for such a lawsuit.
In any event, it can be expected that other attorneys general around the country will heighten their investigations of PHI security breaches and seek civil monetary payments under HIPAA/HITECH and/or state law. Perhaps more will even be heard from attorneys general who believe that citizens of their respective states have been affected by the alleged Health Net and/or Wellpoint PHI security breaches.
Prompt, decisive and positive action is required of providers, as well as insurers, to limit potential damages, rehabilitate relations with clients and the public and reduce the likelihood of litigation and penalties.