Despite the lack of significant settlements for HIPAA enforcement by the federal Office of Civil Rights (OCR) so far in 2018, states have not hesitated to patrol privacy and security breach activity and take action against perceived violations. Indeed, under the HITECH Act, state attorneys general have their own HIPAA enforcement authority. Two recent settlements suggest that states are ramping up their enforcement activities.
The New Jersey Attorney General recently announced a settlement of nearly $418,000 involving physician network Virtua Medical Group, P.A. (Virtua) for an alleged breach of privacy involving 1,654 patients, most of whom reside in New Jersey. The settlement followed an investigation by the New Jersey Division of Consumer Affairs, which concluded that an online server misconfiguration during a software update by a third party vendor and business associate of Virtua rendered patient medical records and related electronic personal health information (ePHI) to be viewed online and indexed by search engines. The New Jersey Division’s investigation determined that the third party vendor and business associate of Virtua discovered the breach in January 2016 and reinstated the security protections put in place prior to the update, but did not notify Virtua upon its discovery of the breach. The resulting settlement stemmed allegations that Virtua failed to conduct a comprehensive analysis of risks relative to PHI sent to the third party vendor, failed to safeguard against the risk of disclosure, failed to set forth sufficient procedures requiring security measures necessary to mitigate the risk, and failed to implement awareness and training programs for workforce members related to impermissible disclosures.
Furthermore, in March 2018, the New York Attorney General announced a $575,000 settlement with EmblemHealth and wholly-owned subsidiary Group Health Incorporated (EmblemHealth), following an incident in which 81,122 social security numbers were disclosed on a mailing. In EmblemHealth’s case, a Medicare Prescription Drug Plan Evidence of Coverage notice included a mailing label with the policyholder’s social security number on it. In addition to the settlement, EmblemHealth is required to implement a corrective action plan.
These settlements serve as reminders to covered entities and business associates that states may aggressively enforce data privacy and security violations, separate from what the OCR does. Some state laws (such as those in New Jersey and New York) may not expressly target PHI breaches in the same manner as HIPAA and other federal data privacy and security regulations, but they may have similarly sharp teeth. Furthermore, state enforcers may share information with and involve federal enforcers in activities constituting a violation of such federal regulations. In addition, covered entities should thoroughly examine business associate agreements to ensure that third party vendors bear the financial risk for failures to provide notice regarding breaches and to maintain adequate security measures to mitigate against the risk of disclosures.