States Taking an Active Roll in HIPAA Enforcement

When most people think about HIPAA enforcement, they think about the federal Office for Civil Rights – i.e., the division of the federal Department of Health and Human Services responsible for overseeing and enforcing HIPAA’s requirements. But the law also imparts authority to state attorneys general to bring civil action against entities for violating the HIPAA Privacy and Security rules, and now there may be reason to pay closer attention to state-level enforcement as well.

Recently, a medical software provider (Medical Informatics Engineering, Inc., or MIE) agreed to pay $900,000 to several state attorneys general as part of a settlement related to a breach that occurred in 2015, whereby a hacker accessed MIE’s systems and accessed the electronic protected health information (ePHI) of over 3 million individuals.

OCR investigated the breach and determined that MIE had failed to comply with HIPAA security requirements (including the requirement to conduct a risk analysis and implement required security controls). In addition, the attorneys general (AGs) of 12 states filed suit. The complaint alleged that MIE had failed to implement adequate security controls; had failed to encrypt its data; had failed to address known vulnerabilities; hadn’t provided security awareness training to its staff; and had failed to report the breach in a timely manner. In addition, the complaint alleged that MIE had violated several state data privacy laws related to protecting personal information; unfair and deceptive practices; and data breach notifications.

The multi-state AG lawsuit is the first of its kind, and it signals a growing focus at the state level on compliance with both HIPAA and state data privacy laws. It’s also important to note that MIE is a business associate. This settlement should disabuse any entity of the notion that business associates are inherently less exposed to regulatory or civil action. Covered entities should ensure that any business associates they rely on for plan administration are complying with the terms of the business associate agreement and are adequately protecting the covered entity’s PHI. Business associates should ensure that they comply with the terms of their business associate agreements and implement the requirements of the security rule, including the requirement to conduct a thorough risk analysis and mitigate any identified threats to PHI.