As reported previously on this blog, the requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have been bringing to light new breaches of PHI security and direct intervention by attorneys general with respect to such breaches.
The earlier posting reported that Richard Blumenthal, Attorney General, and now United States Senator-elect, in Connecticut, has been especially prominent in investigating PHI security breaches affecting individuals in his state. He also distinguished himself by successfully recovering for Connecticut the first state settlement for PHI security breaches under HIPAA/HITECH in an amount of $250,000.
The enactment of HITECH gave state attorneys general the ability to enforce PHI security breaches under HIPAA for the first time in federal district court as parens patriae (on behalf of state residents) if they believe their residents are threatened or adversely affected by HIPAA violations.
It was pointed out in the earlier blog posting that nothing in HIPAA/HITECH prevents a state attorney general from exercising powers under state law respecting alleged PHI security breaches. In this regard, on October 29, 2010, the Indiana Attorney General's office announced in a press release (the “Press Release”) that it had filed a lawsuit against Indianapolis-based WellPoint, Inc. (“WellPoint”), claiming that “the health insurance provider did not notify their customers or the Attorney General's office in a timely manner following a data breach earlier this year affecting more than 32,000 Hoosiers.”
Significantly, the lawsuit, which seeks $300,000 in civil penalties, is not being brought under HIPAA/HITECH but, according to the Press Release, under Indiana state law, which “requires businesses to notify both the individuals potentially affected by a data breach, as well as the Attorney General's office without unreasonable delay.”
According to the Press Release, WellPoint was notified as early as February 22, 2010 and again on March 8, 2010 that health insurance application records containing personal information, such as social security numbers, financial information and health records, were accessible through its public website. However, Greg Zoeller, the Indiana Attorney General, alleges that WellPoint did not begin notifying customers of the security breach until June 18, 2010 (over 100 days after WellPoint reportedly learned of the breach). The Press Release continues that, following news reports of the breach, the Attorney General's office submitted an inquiry to WellPoint and received a response on July 30, 2010 (at least 144 days after WellPoint reportedly learned of the breach). The Press Release states that the WellPoint “delays in notice both to customers and to the Attorney General's office are considered unreasonable.”
Significantly, HIPAA/HITECH has a more objective and rigid standard than the “unreasonable delay” of the Indiana statute. Under HIPAA/HITECH, the time frame for insurers and providers to give notice to affected individuals and the U.S. Department of Health and Human Services of a PHI security breach involving 500 or more individuals is “without unreasonable delay and in no case later than 60 days from discovery of a breach.” [Emphasis supplied] WellPoint would clearly not be within the 60-day limit for notification under the HIPAA/HITECH requirements.
It is not clear what led Mr. Zoeller to determine to proceed under state law rather than HIPAA/HITECH, especially given the objective outside limit of 60 days under HIPAA/HITECH and the abovementioned success of Mr. Blumenthal in Connecticut. Perhaps the decision was made in order to bring the action in the Indiana state courts rather than the federal courts, or there are facts and circumstances that may favor use of the state law. It is also possible that the Indiana Attorney General may want to reserve the possibility of proceeding in the federal courts under HIPAA/HITECH later in the event that the current state action does not proceed favorably.
In any event, it can be expected that other attorneys general around the country will follow suit in vigorously investigating PHI security breaches and seeking civil monetary payments under HIPAA/HITECH and/or state law. In this regard, it will be interesting to see how the attorneys general will exercise their discretion in selecting entities from whom they will seek penalties. The two reported cases in Connecticut and Indiana deal with HealthNet and Wellpoint, respectively, which are insurers, not providers. As a political and media matter, insurers would appear to be much safer targets than highly respected non-profit teaching or community hospitals or small physician practices.
Nonetheless, both insurers and providers must be on constant alert to minimize fallout if a PHI security breach occurs. Prompt, decisive and positive action will be required of insurers and providers to maximize damage control, rehabilitate relations with clients and the public and reduce the likelihood of litigation and penalties for undue delay in notification of PHI security breaches.