New York Attorney General Eric Schneiderman has been in hot pursuit of organizations in his state that fail to maintain the security and privacy of personal information. On March 6, 2018, the Attorney General’s office announced that it had reached a settlement with New York health plan, EmblemHealth, whereby EmblemHealth will pay a $575,000 fine related to violation of New York state privacy laws.
The settlement follows the health plan’s discovery that it had erroneously sent a mailing to policyholders that included a label on the envelope with the policyholder’s Social Security number. The New York Attorney General noted this disclosure resulted in a breach of not only the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”) but also New York’s General Business Law Section 399-ddd(2)(e), which prohibits visibly printing Social Security numbers on envelopes.
In addition to paying $575,000 to settle the matter with the Attorney General’s office, EmblemHealth entered into a corrective action plan with the state, requiring it to conduct a risk analysis of the security risks within EmblemHealth’s information technology infrastructure and within 180 days of the settlement report those risks to the Attorney General’s office. EmblemHealth must also review its policies and procedures and advise the Attorney General’s office of any action that it takes arising out of that review. If it takes no action, it must provide a detailed narrative as to why no action is necessary. EmblemHealth, as part of the settlement, must also track its mailings processes to ensure all employees involved are appropriately trained for the jobs for which they are assigned related to the mailings. Additionally, the corrective action plan also requires EmblemHealth to report any known violations of policies and procedures relating to the minimum necessary standard set forth in the HIPAA Privacy Rule to the appropriate Emblem Health official and to remediate any violations as soon as practicable.
While the New York Attorney General and other state attorneys general have taken action against businesses involved in data breaches, this case is particularly interesting because it is an effort to settle HIPAA violations. The settlement specifically cites violations of the HIPAA Privacy Rule and the corrective action plan includes HIPAA compliance measures. While the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) granted state attorneys general the authority to enforce HIPAA through civil actions brought on behalf of state residents, until now this authority has not been publicly invoked to any noteworthy degree. The EmblemHealth case is an important reminder that covered entities and business associates, in addition to complying with HIPAA, must also ensure that they abide by state privacy laws that prohibit the improper disclosure of certain personal information. While HIPAA covered entities and business associates can continue to expect scrutiny from and enforcement by the Department of Health and Human Services, Office of Civil Rights, they must be prepared for scrutiny and action from state regulators and enforcers as well.