My health law colleague, David Harlow, covers the news today on the first HIPAA enforcement action taken by a state attorney general under the new HITECH provision of American Recovery and Reinvestment Act of 2009 (ARRA).
David's post, HIPAA enforcement by state attorney general: The shape of things to come, provides a good summary of the announcement by the Connecticut Attorney General. More information via the Connecticut Attorney General press release.
The lawsuit filed by the Connecticut Attorney General Richard Blumenthal (coincidentally brother of David Blumenthal, National Coordinator of Health Information Technology) alleges that a health insurer, Health Net of Connecticut, Inc., failed to promptly notify the AG and other officials of a missing portable computer disk drive that contained unencrypted protected health information, Social Security numbers and bank accounts for approximately 446,000 individuals. The lawsuit also named UnitedHealth Group Inc. and Oxford Health Plans, LLC who acquired ownership of Health Net of Connecticut. The action also seeks a court order against Health Net to encrypt all information held on electronic devices.
Since the early days of HIPAA implementation and compliance there has largely been a lack of real enforcement efforts. The new provisions under HITECH allowing state attorney generals to file HIPAA enforcement actions on behalf of the public bring a new era of enforcement against health care providers who are unfortunate to have a health data breach and fail to properly respond to such breach in a timely manner.
David offers some good advice and takeaway points to health care providers and others who regularly handle health information. It is not enough to have policies and procedures in place but to regularly monitor whether they are being followed. Today's health data is liquid and it can flow in many directions. Providers need to understand where and how data is stored, used and transferred.