State Enforcement of Breach Notification Rules is on the Rise

If you are having any second thoughts about assessing your compliance with HIPAA-HITECH security requirements and investing in data security then all you have to do is look at the rising cost of a data breach.

In 2009, the cost of breach response totaled about $204 per record breached…but that’s only if you look at the data across all industries. In the same study the cost per record violated was about $294 in the healthcare sector. Legal expenditures were already on the rise, 14 percent higher than the prior year. And that was before new HITECH penalties were implemented, before HITECH enforcement created such extreme transparency about the missteps of organizations trusted with healthcare data, and before State Attorneys General and other state officials got a firm grasp on the new enforcement power afforded them.

That’s right. Under HITECH, State AGs can file civil suits in federal court against organizations going through the unfortunate aftermath of a data breach. This has already occurred in Connecticut but, in this case, Health Net settled out of court for $250,000. But just when the furor seemed to have calmed down, the state Department of Insurance fined them an additional $375,000 and required the insurer to purchase $1 million of identity theft insurance and fraud resolution services. These expenditures were certainly not included in the 2009 analysis of the average cost per record breached.

But states aren’t limited to enforcing federal law. In Indiana, the AG is currently suing WellPoint under state law, and in California, the state Department of Public Health is attempting to exact fines against the Lucille Packard Children’s Hospital using their state regulatory authority. In fact, these are just a few instances of state enforcement happening across the country, and it is going to increase.

A spokesman for the HHS Office for Civil Rights was recently quoted as saying that training for state AGs will roll out in early 2011 to instruct them on the right way to file suit under HITECH. If you work in data security you’d better buckle your seat belt. It’s going to be a wild ride.

Start Now!  We advise all Covered Entities to assess their overall compliance with the HIPAA Security Final Rule AND analyze their specific risks to ePHI.  Both are required by law.


No comments yet.

Leave a Reply