Multi-state AG enforcement of HIPAA — a sign of what’s to come?


This article is a republication of a piece I wrote for DataGuidance, a global privacy platform, in June of this year. As one of 30 North American experts, I occasionally produce content for this resourceful tool used by privacy professionals around the world. 

On 4 December 2018, 12 State Attorneys General (‘AGs’) led a joint complaint against the company Medical Informatics Engineering (‘MIE’) in the United States District Court for the Northern District of Indiana (‘the Court’), in the case State of Indiana et al v. Medical Informatics Engineering, Inc. et al (‘the MIE case’). The complaint was led over the company’s handling of a data breach in May 2015, which the AGs claimed had amounted to a violation of the Health Insurance Portability and Accountability Act of 1996 (‘HIPAA’), as well as statutes at a state level. Thomas Ritter, Associate at Thompson Burton PLLC, comments on the significance of the MIE case, and questions whether we may see more such joint action from AGs regarding data breaches in the future.

JamesBrey/Signature collection/istockphoto.com

 

Introduction

If you blinked at the end of last year, you may have missed an incredibly significant development concerning state data security oversight. For the first time ever, 12 AGs[1] joined together to file a multi-state HIPAA-related data breach lawsuit in federal court. While the basis of the MIE case is noteworthy enough on its own, the bigger implication seems to be a willingness on the part of state regulators to take enforcement matters into their own hands.

Enforcement authority in multi-state AG investigations

Multi-state investigations and actions take place when issues of common interest attract the attention of different AGs across the country. One such issue of increasing interest is that of data breaches. AGs typically enforce data breach laws under the separate and distinct theories of Unfair and Deceptive Acts or Practices (‘UDAP’) provisions and state-level data breach notification statutes. Acting as miniature versions of Section 5 of the Federal Trade Commission Act of 1914 (‘the FTC Act’)[2], UDAP laws often represent the legal weapon of choice for AGs to combat an assortment of consumer protection harms. State data breach notification statutes, on the other hand, statutorily require private or governmental entities to timely notify affected consumers in lieu of a data breach.

In the context of protected health information, the Health Information Technology for Economic and Clinical Health Act of 2009 (‘HITECH’)[3] gives AGs the authority to enforce privacy and security concerns under HIPAA through civil actions. Filed on behalf of state residents affected by HIPAA violations, state enforcement actions can yield significant civil penalties.

In total, AGs exercise data security oversight authority through the enforcement of federal (HIPAA/HITECH) and state (consumer protection and data breach) laws.

The case against MIE

MIE was a third-party provider who licensed its application, WebChart, to healthcare providers. WebChart was an electronic application used by physicians and medical facilities nationwide, which allowed patients to access and manage their medical records. In May 2015, MIE suffered a breach after hackers infiltrated its internal computer systems. The breach resulted in the loss of 3.9 million individual protected health information records from the MIE database. The information accessed included but was not strictly limited to patient names, telephone numbers, mailing addresses, usernames and passwords, security questions and answers, spousal information, email addresses, date of birth records, social security numbers, lab results, health insurance information, diagnosis, and medical conditions.

MIE did not discover the intrusion until 26 May 2015. Perhaps most notably, MIE did not begin the process of notifying affected individuals until more than two months after the intrusion, and 50 days from the discovery of the breach. Ultimately, MIE did not complete notification to all those affected until December 2015.

Around three years after the breach, 12 AGs collectively led a complaint in the Court on 4 December 2018. In the MIE case, the AGs requested injunctive relief and restitution in the form of statutory damages arising out of violations of HIPAA, state UDAP laws, and breach notification and personal information protection statutes. With each and every claim predicated upon distinct federal and state laws came the opportunity for the AGs to seek separate fines per violation[4].

On 23 May 2019, MIE agreed to pay $900,000 to the 16 state AGs to settle the case[5]. In addition to the financial settlement, MIE agreed to implement and maintain a robust information security program. This program will contain administrative, physical and technical safeguards like the use of multi-factor authentication and an incident monitoring solution. Around this same time, MIE also settled with the U.S. Department of Health and Human Services’ (‘HHS’) Office of Civil Rights (‘OCR’) to the tune of $100,000. MIE founder, Douglas Horner, stated,

“The OCR and the state AGs are involved in the enforcement of HIPAA privacy rules. Working with the OCR, the multi-state AG group, and the plaintiffs[6] underscores our commitment to working with regulators to help safeguard sensitive patient information.”

After a busy 2018, AGs show no signs of slowing down

Although the OCR is the main enforcement authority of HIPAA-related infractions, a recent trend denotes more intentional involvement from state regulators. According to the HHS, 2018 saw the OCR take action against 11 companies for HIPAA violations [7]. Meanwhile, AGs in Massachusetts, New York and New Jersey alone had almost as many enforcement actions in 2018 [8]. New Jersey AG, Gurbir S. Grewal’s words after one of these actions signified this increased interest: “We will continue to protect the privacy of New Jersey patients by vigorously enforcing the laws safeguarding their personal health information. [9]” Furthermore, states like Connecticut have even gone so far as to devote an entire department[10] within the office of the AG to the protection of State residents’ personal information and data.

With widespread data breaches becoming more commonplace by the day, it’s unlikely that AGs will refrain from jumping into the fray. In fact, any future incidents like the MIE breach, which affect residents across state lines, is almost sure to prompt a multi-state AG investigation and lawsuit.


[1] Initially, the lawsuit involved AGs from 12 states but later expanded to the following 16 states: Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia and Wisconsin.

[2] Section 5 of the FTC Act prohibits unfair or deceptive acts or practices in the marketplace, and is located at §45(a) of Title 15 United States Code (‘U.S.C.’).

[3] §1320d-5(d) of Title 42 of the U.S.C.

[4] For example, whereas the Florida Statute relating to breach notification (§501.171 of Title XXXIII of the Florida Statutes) provides for a $1,000 penalty for every day a violator fails to timely notify those affected outside 30 days from the date of the breach discovery, the Louisiana Statute relating to breach notification (§51:3071 et seq. of Chapter 51 of the Louisiana Revised Statutes) expressly accords a $5,000 penalty for each day the violator fails to provide notification outside the applicable timeframe.

[5] Consent Judgment and Order, No. 3:18-cv-00969 (N.D. Ind.  led 23 May 2019).

[6] MIE is also the subject of a pending class action lawsuit arising out of the incident.

[7] See: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/2018enforcement/index.html

[8] Massachusetts was involved in at least two HIPAA enforcement actions against McLean Hospital and UMass Memorial Medical Group/UMASS Memorial Medical Center. New York was involved in at least three HIPAA enforcement actions against Arc of Erie County, EmblemHealth, and Aetna. Finally, New Jersey was involved in at least four HIPAA enforcement actions against Emblem-Health, Best Transcription Medical, Aetna, and Virtua Medical Group.

[9]AG Grewal said this in response to a third party vendor’s agreement to pay the State of New Jersey a $200,000 civil penalty over a HIPAA violation stemming from a 2016 data breach. See: https://www.nj.gov/oag/newsreleases18/pr20181102a.html

[10] The Privacy and Data Security Department is a department within the Connecticut AG office. See: https://portal.ct.gov/AG/Departments/Privacy/The-Privacy-and-Data-Security-Department.