This month, Connecticut Attorney General Richard Blumenthal announced that his office reached a settlement with health insurance company Health Net over their breach of sensitive patient data. The agreement resolves allegations that Health Net violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as state privacy protections. The Health Net breach dates back to May 2009, when the company lost a disk drive with PII and PHI for some 2 million patients. The company took more than what Blumenthal considered a reasonable amount of time to report the missing disk and notify affected individuals. Blumenthal alleged that the company delayed and otherwise failed to properly inform the state governing authorities.

This suit is significant for several reasons – for one, it marks the first suit brought by a state AG for violations of HIPAA after the Health Information Technology for Economic and Clinical Health Act (HITECH) gave AGs the authority to do so. Second, the settlement includes a $250,000 payment to the state, which happens to be the maximum penalty that can be fined by state AGs, and Health Net has agreed to an additional $500,000 payment if the missing drive was accessed and the information used improperly. Blumenthal said he felt the settlement “sends a strong message” about the “profound responsibilities to protect medical and financial records.”

If the Health Net suit doesn’t serve as a wake-up call that regulatory agencies mean business, then perhaps the latest notice of proposed rulemaking from HHS will – it is a modification to the Privacy, Security and Enforcement rules that extends the applicability of certain requirements to Business Associates. The proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions, establish new limitations on PHI use and disclosure, prohibit the sale of PHI, and expand the individual’s right to access and control his or her own information.

Additionally, the HHS Office of Civil Rights has updated its breach notification webpage to a new, more accessible format that allows users to search and sort the reported breaches. The format includes brief summaries of breach cases that OCR has investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured PHI to the Secretary.

Is your head spinning? Could the requirements be any tougher? And yet, some privacy and security experts would argue they aren’t enough, because we are playing catch up in a world where risks to PII and PHI far outstrip our security efforts. We’d love to hear your opinion – are the new enforcements a bitter pill or well-deserved medicine?

By Melissa Sandefur
Research Analyst, Kroll Fraud Solutions

Tags: Attorney General Richard Blumenthal, data breach, Health Net, HHS, HIPAA, patient data, PHI, PII

Categories: Data Security Industry.