The Connecticut attorney general is one of the few who has taken advantage of the 2009 provision in the HITECH Act which grants authority to states to enforce HIPAA violations. On Nov. 6, 2015, the Connecticut attorney general announced that it entered into a settlement agreement (Assurance of Voluntary Compliance) with the Hartford Hospital and its business associate vendor the EMC Corporation (EMC) to resolve an investigation into a breach that occurred in 2012.
Hartford Hospital and EMC have agreed to collectively pay $90,000 and have agreed to institute various measures to resolve the matter. EMC assisted the hospital on a quality improvement project that involved analyzing the hospital’s patient data. On June 25, 2012, an unencrypted laptop was stolen from an EMC employee’s home. The laptop contained unencrypted protected health information (PHI) of about 8,883 Connecticut residents. EMC reported the theft to the hospital the next day, and the hospital discovered that it had not entered into a business associate agreement with EMC. The hospital notified all affected patients of the breach as well as the Connecticut Attorney General’s office. In the Assurance of Voluntary Compliance the hospital agreed to comply with all applicable provisions of HIPAA, including analyzing all of its relationships with vendors to ensure that it is entering into the required business associate agreements, as well as encrypting PHI. The EMC agreed to maintain policies and procedures on encryption, the storage of PHI outside of EMC premises, and for responding to breach events.