The Massachusetts Attorney General’s Office announced Thursday that it has settled, for $750,000, a data breach lawsuit filed against South Shore Hospital under the Massachusetts Consumer Protection Act and the federal Health Insurance Portability and Accountability Act (HIPAA).
The alleged HIPAA violation arose from unencrypted back-up tapes that South Shore sent offsite to a data archiving company to be erased and re-sold as blank media. However, the hospital did not inform the data company that the tapes contained protected health information (PHI), did not determine whether the data company had appropriate safeguards in place to protect the PHI, and did not enter into a business associate agreement with the company. In shipment, two of three boxes containing the PHI were lost and have not been recovered.
The lawsuit, brought by the Massachusetts Attorney General’s Office, is only the third of its kind. Through the Health Information Technology for Economic and Clinical Health (HITECH), passed in 2009, Congress: (i) dramatically increased the HIPAA monetary penalties that could be levied against providers; (ii) granted authority to state attorneys general to prosecute HIPAA privacy and security violations; and (iii) perhaps most importantly, allows state attorney generals to share in any monetary penalties that they are able to collect (e.g., a “bounty sharing” provision). The changes were in response to a perceived lack of enforcement of the HIPAA regulations by the Office for Civil Rights of the Department of Health and Human Services (HHS).
While only the Vermont and Connecticut Attorneys General have initiated lawsuits under HITECH, the legislation is expected to add serious teeth to healthcare privacy laws. Under HITECH, an attorney general receiving a complaint from a resident may sue in federal district court for an injunction and monetary damages. In all three cases, the attorneys general have brought suit under both HIPAA and state privacy laws, and HHS has actively supported the initiative by offering in-person and computer-based training to state attorneys generals nationwide, and even assisting the Connecticut Attorney General’s Office in its prosecution.
South Shore Hospital, which settled for $750,000, was the largest of the three AG-initiated lawsuits. As the size of HIPAA violation settlements continue to grow, so too will the interest of states in exercising their new-found authority. Attorneys general may also be more inclined to initiate HIPAA lawsuits because of the positive impression such actions will make on constituents.
As the HITECH incentives catalyze the shift toward electronic health records, privacy issues will be at the forefront, attracting much greater attention than in the past. Hospitals, physicians, health care providers, Business Associates, and all other parties subject to HIPAA regulations are well advised to ensure that they have appropriate HIPAA policies, procedures, and safeguards in place to protect patient privacy, avoid violating HIPAA, and avoid attracting the attention of a much more aggressive, financially incentivized, state attorneys general corps.
For more information, please contact Abby Pendleton, Esq. or Clinton Mikel, Esq., at (248) 996-8510 or (212) 734-0128, or visit the HIPAA specialty page on the HLP website.