If you think the HITECH Act isn't a game changer, think again. The State Attorney General ("AG") of Connecticut filed an historic lawsuit for breach of protected health information for an estimated 446,000 past and present Connecticut enrollees of Health Net of Connecticut.
"Sadly, this lawsuit is historic – involving an unparalleled healthcare privacy breach and an unprecedented state enforcement of HIPAA," Connecticut Attorney General Richard Blumenthal said. Health Net failed to promptly notify consumers of the security breach that involved missing medical records containing personal, intimate patient information as well as financial and claims data.
According to the article in Health IT News, at the link above, "...on or about May 14, 2009 Health Net officials learned that a portable computer disk drive disappeared from the company's Shelton office. The disk drive contained protected health information, Social Security numbers and bank account numbers for approximately 446,000 past and present Connecticut enrollees.
In the lawsuit, Blumenthal alleges that Health Net failed to promptly notify his office or other Connecticut authorities of the missing information, which included 27.7 million scanned pages of more than 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records."
Since when do state AG's have the authority to bring civil suits on behalf of their citizens for breach of PHI? Well, at least since February 17, 2009 when the HITECH Act was enacted as part of ARRA, although many state laws arguably provided similar rights prior to that. Section 13410 of the Act states, in part, as follows:
(1) IN GENERAL.—Section 1176 of the Social Security Act (42 U.S.C. 1320d–5) is amended by adding at the end the following new subsection:
‘‘(d) ENFORCEMENT BY STATE ATTORNEYS GENERAL.—
‘‘(1) CIVIL ACTION.—Except as provided in subsection (b), in any case in which the attorney general of a State has reason to believe that an interest of one or more of the residents of that State has been or is threatened or adversely affected by any person who violates a provision of this part, the attorney general of the State, as parens patriae, may bring a civil action on behalf of such residents of the State in a district court of the United States of appropriate jurisdiction—
‘‘(A) to enjoin further such violation by the defendant; or
With such a high profile breach, we would not be surprised if HHS gets in on the act. After all, there is a new sheriff in town, and she is not nearly as nice as the old one.
Looking for a best of breed HIPAA Compliance Software?
To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.
If you need tools that will help with your compliance initiatives then check out the HSG Store.
with your compliance initiatives? If so then check out the HSG Store.