from David Harlow's Health Care Law Blog
Connecticut
Attorney General Richard Blumenthal entered a brave new world
yesterday, as the first state AG to file a HIPAA enforcement action
under the "Son of HIPAA" amendments found in the HITECH Act. Among other HIPAA changes made in the new law
(all of which should be of concern to health care providers, health
care payors, health care clearinghouses -- "covered entities" or CEs
-- and their "business associates" -- vendors who touch electronic
protected health information or ePHI), there is a provision that
permits state attorneys general to file HIPAA enforcement actions on
behalf of the people of their state, in order to protect their
interests, and to seek injunctive relief and/or money damages. See Sec. 13410(e) of ARRA (p. 160 of HR 1 PDF).
The basic
facts of the case are not unfamiliar: A hard drive gone missing from a
health insurance company's offices, this one with unencrypted
information about 250,000 plan members. The insurer, Health Net,
failed to promptly notify data subjects that the data had gone missing,
taking six months to issue a notice
and letters to affected individuals and offer credit monitoring and
repair for anyone affected. Unfortunately, data breaches are all too
common. See, for example, my post on the Virginia health data breach last year, and the recent Chilmark Research post asking, in essence, whether we can reasonably expect a breach-free world.
While
asserting a HIPAA claim is new territory for state AGs, the crux of the
claim is really a consumer protection claim, one of the state AGs'
mainstays.
Continue Reading
No comments:
Post a Comment