The Department of Health and Human Services’ Office for Civil Rights is the primary HIPAA compliance enforcer; nevertheless, state Attorneys General likewise perform a part in implementing Health Insurance Portability and Accountability Act Rules.
The Health Information Technology for Clinical and Economic Health (HITECH) Act granted state attorneys general the power to take civil actions for state locals who were affected by HIPAA Privacy and Security Rules violations and could get damages for the sake of state residents.
The first to exercise this right is the Connecticut Attorney General in 2010 versus Health Net Inc. with regard to the missing unencrypted hard drive that contains the electronic protected health information (ePHI) of 1.5 million persons and deferred breach notices. The case was resolved for $250,000. The Vermont Attorney General next filed a suit having the same action versus Health Net in 2011 that was resolved for $55,000, and Indiana took a civil action versus Wellpoint Inc. in 2011, which was resolved for $100,000.
State Attorney HIPAA cases were fairly unusual incidences. There were just 11 settlements with covered entities and business associates that take care of HIPAA violations from 2010 to 2015. There were 5 HIPAA enforcement cases by state attorneys general in 2017 and 12 cases in 2018 resulting in financial penalties for HIPAA Rules violations.
From 2019 to 2020, there were 5 cases resulting in sizeable penalties. Four of the five cases were multistate actions versus HIPAA-covered entities and business associates, meaning a number of state attorneys general took part in the enforcement actions. These multistate actions permit state attorneys general to gather their resources and look into likely violations of HIPAA and state regulations more effectively.
If state Attorneys General take civil actions versus covered entities or business associates, they are distinct from any OCR actions.
A number of data breaches have led to settlements at the state and federal levels. University of Rochester Medical Center, Community Health Systems/CHSPSC, Premera Blue Cross, Anthem Inc., Aetna, Cottage Health System, and Medical Informatics Engineering have all resolved cases with OCR and state attorneys general to take care of likely HIPAA violations.
In a lot of the state AG enforcement actions listed below, violations of federal (HIPAA) and state regulations were resolved by financial penalties. Through the years, a number of cases had violated HIPAA Regulations, however, the decision was made to take action against violations of comparable terms in state regulations.
HIPAA Enforcement by State Attorneys General in 2021
New Jersey was especially busy in HIPAA enforcement in 2021. It was the sole state to start its very own investigations and give financial penalties to settle HIPAA violations in 2021. New Jersey likewise took part in a joint analysis of the information breach at American Medical Collection Agency (AMCA). It was one of the biggest breaches of healthcare information ever. The AMCA HIPAA case resulted in the imposition of a $21 million financial penalty; nevertheless, because of the big costs sustained from the breach, AMCA submitted bankruptcy protection. Because of the financial status of the firm, the financial penalty was revoked and will just be paid when AMCA fails on the conditions of the settlement deal.
1. New Jersey – Regional Cancer Care Associates (Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC) paid $425,000 financial penalty in relation to a phishing attack and a data breach affecting 105,000 individuals.
2. New Jersey – Command Marketing Innovations, LLC and Strategic Content Imaging LLC paid $130,000 (Plus $65,000 suspended) in relation to Printing and mismailing incident affecting 55,715 individuals
3. New Jersey – Diamond Institute for Infertility and Menopause paid $495,000 in relation to the Hacking incident and data breach affecting 14,663 individuals.
4. Multi-state (41 state attorneys general) – American Medical Collection Agency – settlement amount of $21 million (suspended) in relation to hacking incident and data breach affecting 21 million
HIPAA Enforcement by State Attorneys General in 2020
1. Multistate (28 states) – Community Health Systems / CHSPSC LLC – paid $5,000,000 in relation to Hacking by a Chinese APT group affecting 6.1 million people.
2. Multistate (43 states) – Anthem Inc paid $39.5 million in relation to Phishing attack and a major data breach affecting 78.8 million people.
3. California – Anthem Inc paid $8.7 million in relation to a Phishing attack and a major data breach affecting 78.8 million people.
HIPAA Enforcement by State Attorneys General in 2019
1. Multistate (30 states) – Premera Blue Cross paid $10,000,000 in relation to the hacking incident and major data breach affecting 10.4 million.
2. Multistate (16 states) – Medical Informatics Engineering paid $900,000 in relation to Breach of NoMoreClipboard data affecting 3.5 million
3. California – Aetna paid $935,000 in relation to 2 mailings that exposed PHI (Afib, HIV) of 1,991 individuals
HIPAA Enforcement by State Attorneys General in 2018
1. Massachusetts – McLean Hospital paid $75,000 in relation to the loss of backup tapes affecting 1,500 people
2. New Jersey – EmblemHealth paid $100,000 in relation to a Mailing error that exposed SSNs impacting 6,443 (81,000) people.
3. New Jersey – Best Transcription Medical paid $200,000 for Exposure of ePHI in the Internet affecting 1,650 people.
4. Multistate (CT, NJ, DC) – Aetna paid $640170.59 in relation to two mailings that exposed PHI (Afib, HIV) and Impermissible disclosure of sensitive health information of 13,160 persons
5. Massachusetts – UMass Memorial Medical Group / UMass Memorial Medical Center paid $230,000 for Multiple data breaches affecting 15,000 individuals.
6. New York – Arc of Erie County paid $200,000 in relation to breach of ePHI on the Internet affecting 3,751 individuals
7. New Jersey – Virtua Medical Group paid $417,816 in relation to a breach of ePHI on the internet affecting 1,654 individuals
8. New York – EmblemHealth paid $575,000 in relation to Mailing error exposed SSNs affecting 81,122 individuals
9. New York – Aetna paid $1,150,000 in relation to 2 mailings that exposed PHI (Afib, HIV) affecting 12,000 individuals
HIPAA Enforcement by State Attorneys General in 2017
1. California – Cottage Health System paid $2,000,000 in relation to the exposure of PHI online affecting over 54,000 individuals
2. Massachusetts – Multi-State Billing Services paid $100,000 in relation to the theft of unencrypted laptop computer affecting 2,600 individuals
3. New Jersey – Horizon Healthcare Services Inc paid $1,100,000 in relation to the theft of 2 unencrypted laptop computers affecting 3.7 million individuals
4. Vermont – SAManage USA, Inc. paid $264,000 in relation to the exposure of PHI on the Internet affecting 660 individuals
5. New York – CoPilot Provider Support Services, Inc paid $130,000 in relation to delayed breach notification affecting 221,178 individuals
HIPAA Enforcement by State Attorneys General in 2015
1. New York – University of Rochester Medical Center paid $15,000 in relation to a nurse that disclosed its list of patients to a new employer, which affected 3,403 individuals
2. Connecticut – Hartford Hospital/ EMC Corporation paid $90,000 in relation to the theft of an unencrypted laptop with PHI affecting 8,883 individuals
HIPAA Enforcement by State Attorneys General in 2014
1. Massachusetts – Women & Infants Hospital of Rhode Island paid $150,000 in relation to the loss of backup tapes with PHI affecting 12,000 individuals
2. Massachusetts – Boston Children’s Hospital paid $40,000 in relation to the loss of a laptop with PHI affecting 2,159 individuals
3. Massachusetts – Beth Israel Deaconess Medical Center paid $100,000 in relation to the loss of laptop with PHI affecting 3,796 individuals
HIPAA Enforcement by State Attorneys General in 2013
1. Massachusetts – Goldthwait Associates paid $140,000 in relation to the mishandling of PHI affecting 67,000 individuals
HIPAA Enforcement by State Attorneys General in 2012
2. Minnesota – Accretive Health paid $2,500,000 in relation to the mishandling of PHI affecting 24,000 individuals
3. Massachusetts – South Shore Hospital paid $750,000 in relation to the loss of backup tapes with PHI affecting 800,000
HIPAA Enforcement by State Attorneys General in 2011
1. Vermont – Health Net Inc. paid $55,000 in relation to the loss of unencrypted hard drive/overdue breach notifications affecting 1,500,000 individuals
2. Indiana – WellPoint Inc. paid $100,000 to resolve its violation of breach notification requirements affecting 32,000 individuals.
HIPAA Enforcement by State Attorneys General in 2010
1. Connecticut – Health Net Inc. paid $250,000 in relation to the loss of an unencrypted hard drive affecting 1,500,000 individuals