The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA compliance; however, state Attorneys General also play a role in enforcing compliance with the Health Insurance Portability and Accountability Act Rules.
The Health Information Technology for Clinical and Economic Health (HITECH) Act gave state attorneys general the authority to bring civil actions on behalf of state residents who have been impacted by violations of the HIPAA Privacy and Security Rules and can obtain damages on behalf of state residents.
The Connecticut Attorney General was the first to exercise this right in 2010 against Health Net Inc. for the loss of unencrypted hard drive containing the electronic protected health information 1.5 million individuals and delayed breach notifications. The case was settled for $250,000. The Vermont Attorney General followed suit with a similar action against Health Net in 2011 that was settled for $55,000, and Indiana brought a civil action against Wellpoint Inc. in 2011 that was settled for $100,000.
State Attorney HIPAA cases were relatively rare occurrences, with only 11 settlements reached with covered entities and business associates to resolve HIPAA violations between 2010 and 2015. HIPAA enforcement by state attorneys general was stepped up in 2017 with 5 settlements and again in 2018 when 12 cases resulted in financial penalties for violations of the HIPAA Rules.
In 2019 and 2020, a total of 5 cases have resulted in financial penalties, although those penalties have been sizeable, and four of the five cases were multistate actions against HIPAA covered entities and business associates where several state attorneys general participated in the actions. These multistate actions allow state attorneys general to pool their resources and investigate potential violations of HIPAA and state laws more efficiently.
When civil actions are brought against covered entities or business associates by state Attorneys General, they are separate from any Office for Civil Rights actions.
Several data breaches have resulted in settlements being reached at both the federal and state level. Community Health Systems/CHSPSC, Anthem Inc., Premera Blue Cross, Aetna, Cottage Health System, University of Rochester Medical Center, and Medical Informatics Engineering have all settled cases with OCR and state attorneys general to resolve potential HIPAA violations.
In many of the state AG enforcement actions below, the financial penalties resolve violations of federal (HIPAA) and state laws. Over the years there have been several cases where HIPAA Rules have been violated, but the decision was taken to bring actions for violations of equivalent provisions in state laws.
HIPAA Enforcement by State Attorneys General in 2020
Year | State | Entity | Amount | Individuals affected | Reason for Investigation | Findings |
2020 | Multistate (28 states) | Community Health Systems / CHSPSC LLC | $5,000,000 | 6.1 million | Hacked by Chinese APT group | Failure to implement and maintain reasonable security practices |
2020 | Multistate (43 states) | Anthem Inc | $39.5 million | 78.8 million | Phishing attack and major data breach | Multiple violations of HIPAA and state laws |
2020 | California | Anthem Inc | $8.7 million | 78.8 million | Phishing attack and major data breach | Multiple violations of HIPAA and state laws |
HIPAA Enforcement by State Attorneys General in 2019
Year | State | Entity | Amount | Individuals affected | Reason for Investigation | Findings |
2019 | Multistate (30 states) | Premera Blue Cross | $10,000,000 | 10.4 million | Hacking incident and major data breach | Multiple violations of HIPAA and state laws |
2019 | Multistate (16 states) | Medical Informatics Engineering | $900,000 | 3.5 million | Breach of NoMoreClipboard data | Multiple violations of HIPAA and state laws |
2019 | California | Aetna | $935,000 | 1,991 | 2 mailings exposed PHI (Afib, HIV) | Impermissible Disclosure of sensitive health information |
HIPAA Enforcement by State Attorneys General in 2018
Year | State | Entity | Amount | Individuals affected | Reason for Investigation | Findings |
2018 | Massachusetts | McLean Hospital | $75,000 | 1,500 | Loss of backup tapes | Insufficient risk assessment, failure to encrypt data, delayed breach notifications |
2018 | New Jersey | EmblemHealth | $100,000 | 6,443 (81,000) | Mailing error exposed SSNs | Impermissible disclosure of PHI/ lack of staff training |
2018 | New Jersey | Best Transcription Medical | $200,000 | 1,650 | Exposure of ePHI in Internet | Risk assessment and risk management failure, breach notification failure |
2018 | Multistate (CT, NJ, DC) | Aetna | 640170.59 | 13,160 | 2 mailings exposed PHI (Afib, HIV) | Impermissible Disclosure of sensitive health information |
2018 | Massachusetts | UMass Memorial Medical Group / UMass Memorial Medical Center | $230,000 | 15,000 | Multiple data breaches | Failure to secure ePHI |
2018 | New York | Arc of Erie County | $200,000 | 3,751 | Exposure of ePHI on Internet | Failure to secure ePHI |
2018 | New Jersey | Virtua Medical Group | $417,816 | 1,654 | Exposure of ePHI on Internet | Multiple violations of the HIPAA Rules |
2018 | New York | EmblemHealth | $575,000 | 81,122 | Mailing error exposed SSNs | Impermissible disclosure of PHI / lack of staff training |
2018 | New York | Aetna | $1,150,000 | 12,000 | 2 mailings exposed PHI (Afib, HIV) | Impermissible Disclosure of sensitive health information |
HIPAA Enforcement by State Attorneys General in 2017
Year | State | Entity | Amount | Individuals affected | Reason for Investigation | Findings |
2017 | California | Cottage Health System | $2,000,000 | More than 54,000 | Exposure of PHI on Internet | Failure to safeguard personal information |
2017 | Massachusetts | Multi-State Billing Services | $100,000 | 2,600 | Theft of unencrypted laptop computer | Failure to safeguard personal information |
2017 | New Jersey | Horizon Healthcare Services Inc | $1,100,000 | 3.7 million | Theft of 2 unencrypted laptop computers | Failure to safeguard personal information |
2017 | Vermont | SAManage USA, Inc. | $264,000 | 660 | Exposure of PHI on Internet | Failure to secure ePHI / breach notification failure |
2017 | New York | CoPilot Provider Support Services, Inc | $130,000 | 221,178 | Delayed breach notification | Violation of breach notification requirements |
HIPAA Enforcement by State Attorneys General (2010-2016)
Year | State | Entity | Amount | Individuals affected | Reason for Investigation | Findings |
2015 | New York | University of Rochester Medical Center | $15,000 | 3,403 | List of patients provided to nurse who took it to a new employer | Impermissible disclosure of ePHI |
2015 | Connecticut | Hartford Hospital/ EMC Corporation | $90,000 | 8,883 | Theft of unencrypted laptop containing PHI | Lack of Business Associate Agreement / failure to encrypt ePHI |
2014 | Massachusetts | Women & Infants Hospital of Rhode Island | $150,000 | 12,000 | Loss of backup tapes containing PHI | Failure to safeguard ePHI / Lack of staff training |
2014 | Massachusetts | Boston Children’s Hospital | $40,000 | 2,159 | Loss of laptop containing PHI | Failure to encrypt ePHI |
2014 | Massachusetts | Beth Israel Deaconess Medical Center | $100,000 | 3,796 | Loss of laptop containing PHI | Failure to encrypt ePHI |
2013 | Massachusetts | Goldthwait Associates | $140,000 | 67,000 | Mishandling of PHI | Improper disposal of PHI |
2012 | Minnesota | Accretive Health | $2,500,000 | 24,000 | Mishandling of PHI | Failure to safeguard PHI |
2012 | Massachusetts | South Shore Hospital | $750,000 | 800,000 | Loss of backup tapes containing PHI | Failure to safeguard PHI |
2011 | Vermont | Health Net Inc. | $55,000 | 1,500,000 | Loss of unencrypted hard drive/delayed breach notifications | Failure to safeguard PHI / Violation of breach notification requirements |
2011 | Indiana | WellPoint Inc. | $100,000 | 32,000 | Failure to report breach in a reasonable timeframe | Violation of breach notification requirements |
2010 | Connecticut | Health Net Inc. | $250,000 | 1,500,000 | Loss of unencrypted hard drive | Failure to safeguard PHI / Violation of breach notification requirements |
The post HIPAA Enforcement by State Attorneys General appeared first on HIPAA Journal.