White Collar Defense and Compliance : New Jersey White Collar Defense Lawyer & Attorney : Fox Rothschild Law Firm : Criminal Defense, Insider Trading, RICO, Consumer Fraud : New Jersey, New York City

As reported previously on this blog series, the requirements under HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have been bringing to light new breaches of PHI security and direct intervention by attorneys general with respect to such breaches.

An earlier posting on December 13, 2010 (the “2010 Posting”) reported that, on October 29, 2010, the Indiana Attorney General's office announced in a press release (the “2010 Press Release”) that it had filed a lawsuit against Indianapolis-based WellPoint, Inc. (“WellPoint”), claiming that “the health insurance provider did not notify their customers or the Attorney General's office in a timely manner following a data breach earlier this year affecting more than 32,000 Hoosiers.”

As reported by Ben Keller from London, Indiana Attorney General Greg Zoeller announced on July 5, 2011 in a press release (the “2011 Press Release”) that WellPoint agreed to pay $100,000 after the company failed to notify customers and the state Attorney General “without unreasonable delay” of a data breach that occurred between October 2009 and March 2010. In response to a request by Mr. Keller to comment for the article, I was quoted as follows:

By settling with WellPoint Inc., the Attorney General of Indiana joins the Attorneys General of Connecticut and Vermont in recovering a substantial sum for the state. . . . [U]nlike Connecticut and Vermont, the Attorney General of Indiana however proceeded solely under a state law enacted by Indiana in 2009. With this variety of successes, it is likely that more Attorneys General will become aggressive in this area in the future.

This posting will endeavor to make some additional observations about the Indiana case. As reported in the 2010 Posting, the Connecticut case proceeded under the federal HIPAA/HITECH statute, while Mr. Zoeller proceeded only under an Indiana state law. Subsequent to the 2010 Posting, this blog series reported on a settlement in Vermont in January 2011 that was brought under both federal and state law in one lawsuit that invoked HIPAA/HITECH, as well as the Vermont Security Breach Notice and Consumer Fraud Acts.

In summary, there have now been three reported settlements by Attorneys General for PHI security breaches:

(i) one that proceeded solely under the federal HIPAA/HITECH statute (Connecticut);

(ii) another that proceeded under both the federal HIPAA/HITECH statute and state law (Vermont); and

(iii) a third one that proceeded solely under state law (Indiana).

The 2010 Posting also raised the question as to why Mr. Zoeller had proceeded only under the Indiana state law and not under HIPAA/HITECH as well. The 2011 Press Release sheds some light on the matter:

In 2009, Zoeller advocated for passing a new state law the Legislature enacted that session that now requires companies, in the event of a security breach, to notify consumers and the Attorney General's Office without unreasonable delay. Companies who detect an internal breach should make a written disclosure to the Attorney General's Identity Theft Unit.

It is clear that Mr. Zoeller wanted to achieve a successful result under the state statute for which he had personally urged passage. However, while the 2010 Posting reported that Mr. Zoeller was seeking $300,000 in civil penalties from WellPoint, he settled for $100,000 in penalties, plus, among other sanctions, the requirements that WellPoint provide up to two years of credit monitoring and identity-theft protection services to Indiana consumers affected by the breach and that WellPoint reimburse any WellPoint consumer up to $50,000 for any losses that result from identity theft due to the breach.

As stated earlier, it can be expected that other attorneys general around the country will follow suit in vigorously investigating PHI security breaches and seeking civil monetary payments and other sanctions under HIPAA/HITECH and/or state law. Such actions can generate revenues for the state, act as a deterrent to others and generate positive media coverage for successful attorneys general.

Prompt, decisive and compliant action will be required of insurers and providers to maximize damage control, rehabilitate relations with clients and the public and reduce the likelihood of litigation and penalties for PHI security breaches.
 

(Michael J. Kline, the author of this entry and a co-author of this blog, is a partner with Fox Rothschild LLP, based in our Princeton, NJ office, and is a past Chair of the firm's Corporate Department. He concentrates his practice in the areas of corporate, securities, and health law, and frequently writes and speaks on topics such as corporate compliance, governance and business and nonprofit law and ethics.)

• Print
• Comments
• Trackbacks
• Share Link

As reported previously (see here), the requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have been bringing direct intervention by attorneys general with respect to enforcement actions regarding such breaches. Last week for the first time, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) exacted heavy financial obligations from (i) Cignet Health and its affiliates (“Cignet”) on February 22, 2011, with a $4.3 million civil monetary penalty assessment (“CMP”) for violations of the HIPAA Privacy Rule and (ii) the General Hospital Corporation and Massachusetts General Physicians Organization Inc. (collectively, “Mass General” ) on February 24, 2011, for a settlement that includes a payment to the U.S. government of $1,000,000 by Mass General for potential violations of HIPAA.

This is the first time that the OCR has publicized its activities in enforcement actions involving heavy monetary payments. Until now, as discussed above, the publicized enforcement activity for monetary recoveries from covered entities under HIPAA/HITECH has been by attorneys general in Connecticut, Indiana and Vermont.

The cases of Cignet and Mass General are efforts by the OCR to demonstrate its seriousness in taking action against violations or alleged violations of HIPAA/HITECH. In the OCR press release relating to Cignet (the “Cignet Press Release”), Kathleen Sibelius, Secretary Of HHS stated the following:

Ensuring that Americans’ health information privacy is protected is vital to our health care system and a priority of this Administration. The U.S. Department of Health and Human Services is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule.

In the OCR press release relating to Mass General (the “Mass General Press Release”), OCR Director Georgina Verdugo was quoted as follows: “We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information.”

The close proximity of the two OCR actions and press releases is noteworthy. According to the Cignet Press Release, the Cignet case involved 41 patients, while, according to the Mass General Press Release, the Mass General case involved 192 patients. Each of these numbers is far fewer than the threshold of 500 affected individuals for listing on the HHS website (the “HHS List”). Some of the 241 incidents reported on the current HHS List involve hundreds of thousands, or even more than one million, affected individuals. It is clear that OCR felt it necessary to make examples of Cignet and Mass General.

The two cases are very different in that the Cignet Health payment involves a CMP imposed by OCR for violations that the OCR found Cignet to have committed, including, according to the Cignet Press Release, the fact that “. . . Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule.” Therefore, the heavy CMP on Cignet would appear to based in major part on OCR’s view that Cignet flouted the authority of OCR to investigate alleged HIPAA Privacy violations.

On the other hand, according to the Mass General Press Release, Mass General settled for a $1,000,000 payment and other compliance actions for “potential violations of the HIPAA Privacy Rule.” It is clear that Mass General, while having an incident that affected almost five times as many individuals as that of Cignet, exhibited a spirit of cooperation with OCR and, therefore, settled for less than one-fourth of the CMP imposed on Cignet and was not found by OCR to have committed a violation.

The juxtaposition of the two cases by OCR shows that cooperation may achieve significant benefits for alleged HIPAA violators, while those who fail to cooperate can be severely punished. The importance of these two cases warrant further discussion in future blog entries.
 

(Michael J. Kline, Esq., the author of this entry and author of an on-going analysis of the concerns of Madoff stakeholders, is a partner with Fox Rothschild LLP, based in our Princeton, NJ office, and is a past Chair of the firm's Corporate Department. He concentrates his practice in the areas of corporate, securities, and health law, and frequently writes and speaks on topics such as corporate compliance, governance and business and nonprofit law and ethics)

• Print
• Share Link

As reported previously on this blog (here and here) relative to cases brought by former Connecticut Attorney General Richard Blumenthal  (the “Connecticut Action”) and Indiana Attorney General Greg Zoeller (the “Indiana Action”), the HIPAA/HITECH statutes and regulations regarding public disclosure of security breaches of Protected Health Information (“PHI”) have encouraged direct intervention by state attorneys general with respect to such breaches. The enactment of HITECH gave state attorneys general the ability to enforce PHI security breaches under HIPAA for the first time in federal district court as parens patriae (on behalf of state residents) if they believe their residents are threatened or adversely affected by HIPAA violations. It was also pointed out in the earlier blog postings that nothing in HIPAA/HITECH prevents a state attorney general from exercising powers under state law respecting alleged PHI security breaches.

On January 18, 2011, Attorney General William Sorrell of Vermont and his office (collectively, the “Vermont Attorney General”) announced in a press release (the “Press Release”) that it had settled a lawsuit (the “Vermont Action”), by means of a consent decree which requires court approval, against Health Net, Inc., and Health Net of the Northeast, Inc. (collectively, “Health Net”). The Vermont Action involves a number of the same issues to which the Connecticut Action
against Health Net related, including an alleged failure to promptly notify consumers endangered by the breach.

The settlement in the Vermont Action (the “Vermont Settlement”) would require Health Net to pay $55,000 to Vermont, submit to a data-security audit, and file reports with Vermont regarding information security programs for the next two years. Presumably the lower settlement amount in Vermont is attributable to the fact that, as the Press Release stated, 525 Vermonters were affected by the alleged PHI security breach, which may be contrasted to nearly 500,000 Connecticut enrollees that were the subject of the Connecticut Action.

Significantly, the Vermont Action, which was filed in the U.S. District Court for the District of Vermont, unlike the Connecticut Action and the Indiana Action, was brought under both federal and state law in one lawsuit that invoked HIPAA/HITECH, as well as the Vermont Security Breach Notice and Consumer Fraud Acts. The Press Release stated that the Vermont Settlement is “Vermont’s first enforcement action under the Security Breach Notice Act and the second HIPAA enforcement action of its kind since state attorneys general were given HIPAA enforcement authority in 2009.”

So far, state attorneys general have limited their enforcement activity under HIPAA/HITECH to cases where alleged unreasonable and lengthy delays in notifying affected individuals by insurers were present. Insurers may be attractive targets because they are perceived by the public as large, highly profitable and relatively faceless entities. It will be interesting to see when the first lawsuit is filed by an attorney general against a provider, such as a physician practice group or community hospital and what is the basis for such a lawsuit.

In any event, it can be expected that other attorneys general around the country will heighten their investigations of PHI security breaches and seek civil monetary payments under HIPAA/HITECH and/or state law. Perhaps more will even be heard from attorneys general who believe that citizens of their respective states have been affected by the alleged Health Net and/or Wellpoint PHI security breaches.

Prompt, decisive and positive action is required of providers, as well as insurers, to limit potential damages, rehabilitate relations with clients and the public reduce the likelihood of litigation and penalties.
 

(With appreciation to Michael J. Kline, Esq., the author of this entry and a co-author of this blog.  Mr. Kline is a partner with Fox Rothschild LLP, based in our Princeton, NJ office, and is a past Chair of the firm's Corporate Department. He concentrates his practice in the areas of corporate, securities, and health law, and frequently writes and speaks on topics such as corporate compliance, governance and business and nonprofit law and ethics.)

• Print
• Comments
• Trackbacks
• Share Link