Overview of Recent Settlement Actions
Recent Health Insurance Portability and Accountability Act (“HIPAA”) enforcement settlements for Virtual Medical Group (“VMG”) in New Jersey and EmblemHealth in New York may signal a broader trend of increased state HIPAA enforcement. Under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act’s amendment to HIPAA, codified at 42 U.S.C. § 1320d-5(d), state attorney generals have authority to bring civil actions in federal district court to enforce HIPAA when the interests of state citizens have been affected. Although states also have authority to bring civil actions under state law Unfair and Deceptive Acts (“UDAP”) laws, their additional authority under HIPAA provides an independent vehicle to enforce data privacy and cybersecurity practices. This increased enforcement trend provides yet another reason that health care entities subject to HIPAA need to ensure they have taken steps to ensure HIPAA compliance.
Virtual Medical Group
In New Jersey, VMG, a non-profit network of physicians, paid $417,816 (including attorneys’ fees) and agreed to a Corrective Action Plan (“CAP”) in a March 2018 consent judgment with the New Jersey Attorney General and the New Jersey Division of Consumer Affairs. According to the consent judgment, VMG suffered a data breach caused by a Business Associate when the Business Associate inadvertently posted medical records online publicly during a File Transfer Protocol (“FTP”) server upgrade. After an investigation, the New Jersey Division of Consumer Affairs alleged violations of both the HIPAA Security and Privacy rules, including the following: a failure to conduct a thorough risk assessment; a delay in identifying and responding to suspected or known security incidents; improper handling of ePHI; and a failure to implement appropriate security measures. In particular, the consent judgment asserted that VMG allegedly failed to conduct a risk analysis relating to its Business Associate.
As part of the CAP, VMG agreed to hire an independent third-party conduct a comprehensive risk analysis (as required under the HIPAA Security Rule), revise its policies and procedures as necessary based on the findings, and report any actions taken to the Division of Consumer Affairs. Thus, even though the consent judgment indicated a Business Associate caused the actual breach, VMG, the Covered Entity, was nevertheless subject to an investigation that revealed alleged HIPAA violations and, subsequently, an enforcement action. This serves as a reminder of the need for Covered Entities to diligently select Business Associates and take them into account when conducting risk analyses.
EmblemHealth
The New York Attorney General’s office recently announced that EmblemHealth agreed through a settlement to pay $575,000 and implement a CAP to resolve alleged violations of HIPAA and New York’s General Business Law § 399-ddd(2)(e). According to the NY AG’s press release, Emblem used health insurance claim numbers that incorporated individuals’ social security numbers on a mailing label for 81,122 people (55,664 of which resided in New York).
According to the announcement, the CAP requires EmblemHealth to undertake a thorough risk assessment, provide adequate workforce training, and report any security incidents to the Attorney General’s office that involve the loss or compromise of New York resident information (even if the incident would not otherwise be subject to New York breach reporting requirements).
Such state actions are an important reminder that states may bring civil actions under both HIPAA and under their own UDAP laws. Companies should take this as an opportunity to revisit existing HIPAA privacy and security policies for and state data privacy compliance. The VMG settlement in particular highlights two important enforcement targets at both the federal and state levels: the need to conduct a thorough and accurate risk analysis and engage in proper vendor management.