In an unprecedented settlement arising from a federal lawsuit in the U.S. District Court for the Northern District of Indiana, a medical software provider agreed to pay $900,000 to 16 state attorneys general (AGs) for alleged violations of a conglomerate of state and federal privacy laws. The settlement represents the resolution of the first-ever multistate data breach suit based on alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as state deceptive trade practices acts, state personal information protection acts, and state breach notifications acts. The matter arose out of a 2015 data breach, in which an Indiana-based electronic health record software provider and its subsidiary (the “EHR Provider”) discovered that hackers used a compromised user ID and password to access the electronic protected health information (“ePHI”) of approximately 3.5 million individuals whose health care providers used the EHR Provider’s software. The information exposed by the breach included names, dates of birth, Social Security numbers, and clinical information.
In the lawsuit, the state AGs asserted that the EHR Provider fostered a security framework that allowed the breach to occur. This framework allegedly failed to take appropriate measures to protect its computer systems and failed to take reasonable steps to prevent breaches. The state AGs claimed that the EHR Provider, as a business associate under the provisions of HIPAA, is required to comply with the HIPAA Security Rule, and had failed on numerous accounts to meet the Security Rule’s enumerated requirements.
Although the sheer number of individuals impacted by this breach is astounding, the real headline is the nationwide collective effort by the state AGs. In addition to wielding their statutory authority to enforce HIPAA, the state AGs also brought claims under their respective data breach and personal information protection statutes. The effect was that of a full-court press – the EHR Provider was accused of 38 separate counts of state law violations all stemming from the same breach. Notably, the settlement with the state AGs was finalized about one month after the EHR Provider agreed to pay $100,000 to the Office of Civil Rights (OCR), the agency tasked with enforcing HIPAA, for alleged HIPAA violations associated with the same breach. In addition to the monetary consequences, the EHR Provider has also agreed to numerous injunctive provisions and a corrective action plan requiring the company to implement and adhere to specific data security policies and procedures.
These settlements should serve as a cautionary tale for healthcare industry participants for several reasons. First, the affected entity in this instance was a business associate governed by HIPAA. To the extent a HIPAA covered entity must take specific measures to protect the ePHI of its patients, so too must the business associate that handles the information on the covered entity’s behalf. Business associates should take stock of their data security programs and ensure that they have procedures in place to monitor, detect, and address data vulnerabilities and breaches, consistent with HIPAA Security Rule requirements. As demonstrated by the federal suit, business associates are not only on OCR’s radar, but also that of the state AGs. HIPAA-covered entities should also pay close attention to the HIPAA compliance of their business associates to ensure that they are adequately protecting the covered entity’s information. To read more on recent OCR settlements with covered entities and business associates and OCR guidance on direct liability of business associates, click here and here.
Second, the increasing reliance on web-based applications for electronic health information management represents not only an opportunity for innovation and progress, but also a threat of increased exposure and liability. Transmission of ePHI via the Internet enables health care organizations to better treat and engage patients, and helps facilitate the beneficial exchange of medical information among providers. Ideally, this electronic network leads to improved healthcare. However, as the electronic network of patients and providers continues to grow, it becomes a more valuable and data-rich target for hackers. This means that covered entities and business associates participating within any given electronic network are often exposed to potential hazards that may impact individuals in multiple states, and are subject to multiple state and federal laws and threats of enforcement action. Thus, attention to data privacy and security must grow in scale with the size of the network managing the highly regulated information.
Lastly, the federal suit and settlement demonstrates that state AGs are willing to utilize resources and combine efforts nation-wide to hold healthcare industry participants accountable for compliance with both state and federal laws when it comes to data protection and privacy of health information. Moreover, as previously noted, electronic networks transmitting health information are growing. Naturally, this growth means the activities of healthcare organizations will reach more and more patients, which means handling highly regulated information in more and more states. Now faced with the no-longer-theoretical prospect of a multistate enforcement action, it is imperative that covered entities and business associates take measures to understand and comply with HIPAA and applicable state laws where their business is conducted.