Attorney General HIPAA penalties continue to be issued, with Hartford Hospital and its Business Associate (BA), EMC Corp, having recently settled with the state of Connecticut over a breach of PHI after an unencrypted laptop computer was stolen in 2012. The incident resulted in the PHI of 8,900 state residents being exposed.
EMC had been contracted by Hartford Hospital to conduct an analysis of PHI in an effort to cut down on unnecessary patient admissions, specifically, patients suffering from congestive heart failure. PHI was shared with EMC Corp; however, Hartford Hospital failed to enter into a business associate agreement (BAA) with the vendor. A BAA must be in place before any PHI can be provided to a contractor under HIPAA Rules.
The laptop theft triggered an investigation by the state AG’s office and a fine was deemed necessary for HIPAA violations, although the case was settled without admission of liability. A fine of $90,000 will be covered by Hartford Hospital and EMC Corp.
Attorney General HIPAA Penalties Issued to Healthcare Providers
George Jepson is one of just a few state attorneys general to have issued fines for HIPAA violations that have resulted in the PHI of state residents being exposed. Under HIPAA/HITECH legislation, state attorneys general are permitted to assist the OCR enforce HIPAA privacy, security and breach notification rules. Attorney general HIPAA fines have previously been issued for privacy and security breaches in Connecticut, Massachusetts, Vermont, Minnesota & Indiana.
Health Net settled with the Connecticut attorney general for $250,000 in 2010 for lost, unencrypted computer drives. This was the first of a number of attorney general HIPAA penalties. Health Net also settled with Vermont for $55,000 for the same data breach.
South Shore Hospital settled with the Massachusetts attorney general’s office in 2012 for $750,000 after unencrypted backup tapes were lost, exposing the data of 800,000 individuals. Settlements were also reached with Beth Israel Deaconess Medical Center for $100,000 after an unencrypted laptop was stolen from a physician, and Boston Children’s Hospital was fined $40,000, again after an unencrypted laptop was stolen.
Accretive agreed to settle with the Minnesota AG’s office in 2012 for alleged HIPAA violations, and paid $2.5 million and also agreed not to conduct business in the state for 6 years. In January of this year, the Indiana Attorney General issued a HIPAA penalty to a dentist for the improper disposal of PHI. 7,000 records were dumped, resulting in a fine of $12,000 being issued.
The AG HIPAA settlements should serve as a warning to HIPAA-covered entities and their business associates that state attorneys general can, and do, enforce HIPAA Rules. Financial penalties are likely to be issued for violations of HIPAA legislation if they have led to the exposure of patient data.