Yesterday, the Connecticut Attorney General announced it has sued Health Net of Connecticut for a security breach involving 446,000 Connecticut enrollees. The Connecticut AG is using the authority provided to state AGs to enforce HIPAA under the HITECH Act. You can read more about the case here.
This is likely the beginning of a new trend of state level HIPAA enforcement. As with previous "new waves" of health care regulatory enforcement, the enforcers are starting with a rather egregious case. (At least in terms of number of people impacted.) Now that Connecticut has taken the first step down this road, it will be interesting to see when other states follow suit. It will also be interesting to see if the states pursue anything other than the largest breaches under this new authority.
The scope of breaches the states are willing to purse will be especially interesting to the home health and hospice community. If, due to lack of staffing, etc., states only pursue the larger breaches, many home health and hospice providers may not have to worry about state AG enforcement. In my opinion, this is likely to be the case initially, but as time goes on you will see the states become more accustomed to enforcing privacy in this fashion and they will devote more resources to this effort. This will lead to broader enforcement.
For now, the main point is that we have now seen the first AG suit under the HITECH Act. More suits are certain to follow. This means that after years of moderate to non-existent HIPAA enforcement, HIPAA enforcement is on the rise. If you have not considered your HIPAA compliance efforts recently, now is a good time to go back and review. You want to be sure you are in compliance now, before enforcement really swings into high gear.
Many innocent companies are suffering tremendously due to the unethical behaviour that is taking place within the industry. The home health agencies are already suffering. However, is it possible that the main purpose is not just to minimize fraud, but mainly to cut out the little companies that contribute to the tax bracket and employ thousands so that only the larger corporations can survive?
Posted by: Patty Nay | 01/19/2010 at 09:17 PM
The alleged security breach involved the theft of a portable disk drive containing unencrypted data. More and more home care providers are transitioning to point-of-service devices like smart phones and handhelds (according the recent 'Blackberry Report' from NAHC). So home care providers making this kind of transition should protect themselves by learning how to keep it secure and what they should do in case of a breach. Thanks for giving home care providers a heads up about this case and the enforcement trends it may signal.
Posted by: Erin Lang Masercola, PhD, CPC | 01/20/2010 at 06:34 AM
You are welcome.
Robert W. Markette, Jr., CHC
Gilliland Markette LLP
3905 Vincennes Road, Suite 204
Indianapolis, Indiana 46268
Telephone: (317) 704-2400
Toll Free: (800) 894-1243
Fax: (317) 704-2410
Mailto: rmarkette@gillilandmarkette.com
http://www.gillilandmarkette.com
http://www.homecarelawblog.com
Posted by: Robert Markette | 01/20/2010 at 06:37 AM