January 24, 2021

Volume XI, Number 24

Advertisement

January 22, 2021

Subscribe to Latest Legal News and Analysis

States Increase HIPAA Enforcement

Overview of Recent Settlement Actions

Recent Health Insurance Portability and Accountability Act (“HIPAA”) enforcement settlements for Virtual Medical Group (“VMG”) in New Jersey and EmblemHealth in New York may signal a broader trend of increased state HIPAA enforcement.  Under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act’s amendment to HIPAA, codified at 42 U.S.C. § 1320d-5(d), state attorney generals have authority to bring civil actions in federal district court to enforce HIPAA when the interests of state citizens have been affected.  Although states also have authority to bring civil actions under state law Unfair and Deceptive Acts (“UDAP”) laws, their additional authority under HIPAA provides an independent vehicle to enforce data privacy and cybersecurity practices.  This increased enforcement trend provides yet another reason that health care entities subject to HIPAA need to ensure they have taken steps to ensure HIPAA compliance.

Virtual Medical Group

In New Jersey, VMG, a non-profit network of physicians, paid $417,816 (including attorneys’ fees) and agreed to a Corrective Action Plan (“CAP”) in a March 2018 consent judgment with the New Jersey Attorney General and the New Jersey Division of Consumer Affairs.  According to the consent judgment, VMG suffered a data breach caused by a Business Associate when the Business Associate inadvertently posted medical records online publicly during a File Transfer Protocol (“FTP”) server upgrade.  After an investigation, the New Jersey Division of Consumer Affairs alleged violations of both the HIPAA Security and Privacy rules, including the following:  a failure to conduct a thorough risk assessment; a delay in identifying and responding to suspected or known security incidents; improper handling of ePHI; and a failure to implement appropriate security measures.  In particular, the consent judgment asserted that VMG allegedly failed to conduct a risk analysis relating to its Business Associate.

As part of the CAP, VMG agreed to hire an independent third-party conduct a comprehensive risk analysis (as required under the HIPAA Security Rule), revise its policies and procedures as necessary based on the findings, and report any actions taken to the Division of Consumer Affairs.  Thus, even though the consent judgment indicated a Business Associate caused the actual breach, VMG, the Covered Entity, was nevertheless subject to an investigation that revealed alleged HIPAA violations and, subsequently, an enforcement action.  This serves as a reminder of the need for Covered Entities to diligently select Business Associates and take them into account when conducting risk analyses.

EmblemHealth

The New York Attorney General’s office recently announced that EmblemHealth agreed through a settlement to pay $575,000 and implement a CAP to resolve alleged violations of HIPAA and New York’s General Business Law § 399-ddd(2)(e).  According to the NY AG’s press release, Emblem used health insurance claim numbers that incorporated individuals’ social security numbers on a mailing label for 81,122 people (55,664 of which resided in New York).

According to the announcement, the CAP requires EmblemHealth to undertake a thorough risk assessment, provide adequate workforce training, and report any security incidents to the Attorney General’s office that involve the loss or compromise of New York resident information (even if the incident would not otherwise be subject to New York breach reporting requirements).

Such state actions are an important reminder that states may bring civil actions under both HIPAA and under their own UDAP laws.  Companies should take this as an opportunity to revisit existing HIPAA privacy and security policies for and state data privacy compliance.  The VMG settlement in particular highlights two important enforcement targets at both the federal and state levels: the need to conduct a thorough and accurate risk analysis and engage in proper vendor management.  

Advertisement
© Copyright 2020 Squire Patton Boggs (US) LLPNational Law Review, Volume VIII, Number 108
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs
Partner

Elliot Golding (CIPP/US) is a member of our Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He has been selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, representing the best of the data law bar around the world.

Elliot partners with clients to proactively manage risk by developing and implementing information governance programs,...

202-457-6407
Jennifer Tharp, Environmental Attorney, Cleveland, Squire Patton Boggs Law Firm
Associate

Jennifer Tharp is an associate in the Environmental, Safety & Health group. During law school, she completed a summer internship with a private research university, where her projects included regulatory analysis for counsel of both the university and health system. She also worked as a research assistant for a nonprofit operating federally funded research and development centers on tasks including policy analysis and compliance.

She provides clients with assistance in environmental, safety and health-law sectors. 

...
+1 216 479 8537
Advertisement
Advertisement