Earlier this month, the first state Attorney General action initiated under the Health Information Technology and Clinical Health Act (HITECH Act) settled. Connecticut’s Attorney General brought the action against Health Net in the District Court of Connecticut following Health Net’s May 2009 HIPAA violations involving the loss of a portable computer disk drive containing protected health information (PHI) of over 1.5 million plan participants. For a copy of the stipulated judgment, click here.

Health Net represented it incurred over $7 million in expenses investigating the circumstances surrounding the disappearance of the drive, identifying and notifying affected Health Net members, and offering and providing two years of credit monitoring services and $1,000,000 in identity theft insurance to affected members. The loss investigation uncovered that though Health Net had implemented privacy policies and procedures regarding PHI, certain employees handling the drive failed to comply with those policies and also did not create a log of the data transferred to the disk drive. The investigation also determined, however, that, to date, there has been no evidence of any identify theft or fraud of any of the affected members.

Health Net’s obligations under the settlement are two-fold: 1) a guaranteed fine of $250,000, payable to the Connecticut state treasury, coupled with a contingent additional fine of $500,000 if the data on the missing disk is shown to have been accessed and misused; and 2) a Corrective Action Plan. The Corrective Action Plan requires Health Net to supplement its existing security and privacy programs, including by: utilizing a combination of hardware and software to identify and automatically encrypt email containing PHI, monitoring and controlling the transfer of PHI to removable media, identifying and logging all actual and attempted access to PHI, and encrypting the hard drives of all company laptop computers. Additionally, Health Net is required to strengthen its oversight of IT projects and institute broad HIPAA training and awareness measures for all employees.

This is only the first state Attorney General action initiated under the authority granted by HITECH in early 2009. States like California have already been aggressively fining hospitals for failure to prevent unauthorized access to confidential patient medical information. On June 10, the California Department of Public Health (CDPH) announced the imposition of $675,000 in fines to five separate hospitals, in accordance with Section 1280.15 of the California Health and Safety Code, which was amended in 2008 to hold health care providers accountable for ensuring the privacy of patients. For the California Department of Public Health’s press release on the fines, click here . With hurting state coffers, the additional authority and fines permitted under HITECH may create quite an incentive to prosecute further HIPAA violations.

Posted by Gesmer Updegrove attorney Crystal Lyons.

This entry was posted on Friday, July 16th, 2010 at 12:59 am by Nancy Cremins and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.