We posted just last week about the Blackbaud multistate settlement, and as we have discussed, health privacy remains a hot topic and is already back in the news. On October 17th, 33 AGs led by Indiana, announced a multistate settlement in the form of a judgment with a Puerto Rico-based health care clearinghouse, Inmediata, for what the AGs alleged was a failure to appropriately safeguard data and a delayed and flawed notification to consumers of a coding issue. As a result, the states said protected health information (PHI) of approximately 1.5 million consumers was exposed to public online searches for almost three years. The AGs alleged, among other things, violations of the Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule and its Breach Notification Rule.

Although the U.S. Department of Health and Human Services’ Office for Civil Rights is the most well-known enforcer of HIPAA compliance, state AGs have played a growing role in enforcing compliance with HIPAA’s Rules. In 2009, the Health Information Technology for Clinical and Economic Health (HITECH) Act authorized state AGs to bring civil actions on behalf of state residents impacted by violations of the HIPAA Privacy and Security Rules, as well as its Breach Notification Rule. The Connecticut AG was the first to exercise this enforcement right in 2010 against Health Net Inc. for a security breach involving private medical records and financial information. While much attention has been given to the passage of recent broad comprehensive state privacy laws and those specific to health, such as Washington’s My Health My Data Act and Connecticut’s recent amendments to its data privacy law adding provisions specifically related to health data, it is important to remember that states may also have specific laws that are similar to HIPAA but include more expansive definitions, such as the Texas Medical Records Privacy Act.

Here, the AGs alleged that Inmediata violated HIPAA’s obligations by failing to implement reasonable data security, including failing to conduct a secure code review at any point prior to the breach, and then failing to provide affected consumers with timely and complete information regarding the breach, as required by law. The settlement requires Inmediata to pay a $1.4 million fine, divided among the participating states, and requires the company to implement strong security practices going forward. This is just the most recent example of the increasing activity by state AGs utilizing their HIPAA enforcement authority. We will keep you apprised of any developments in this area as they unfold.