Devine Health Update:
Mass. Attorney General Crosses Border to Enforce HIPAA and State Data Privacy Laws

Much has been written about the Health Information Technology for Clinical and Economic Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, and its sweeping changes to the HIPAA Privacy and Security Rules. Less attention has been given to the fact that the HITECH Act gave state attorneys general the authority to bring civil actions on behalf of state residents for HIPAA violations. That is, until now. Earlier this year, the Massachusetts Attorney General filed suit against a Rhode Island hospital alleging violation of HIPAA rules and regulations as well as the Massachusetts data protection and consumer protection laws. The case is notable because it is one of only a handful of cases brought by a state attorney general to enforce HIPAA and it may be one of the first cases where that office has sought enforcement against an out-of-state party.

In April 2012, Women & Infants Hospital of Rhode Island realized that it was missing 19 unencrypted back-up tapes from two of its Prenatal Diagnostic Centers, one located in Providence, Rhode Island and the other located in New Bedford, Massachusetts. The back-up tapes contained the personal information and protected health information of 12,127 Massachusetts residents, including patients' names, dates of birth, Social Security numbers, dates of exams, physicians' names, and ultrasound images. These back-up tapes were supposed to be sent to a central data center at the hospital's parent company, Care New England Health System, in 2011 and then shipped off-site in order to transfer legacy radiology information to a new picture archiving and communications system. However, in the spring of 2012, the hospital discovered that the whereabouts of the tapes were unknown and that the tapes were missing. Despite being aware of the breach in April 2012, notice of the breach was not made to the state attorneys general in Rhode Island and Massachusetts or to consumers until November 2012 — more than six months after the hospital concluded that a breach had occurred. The Office of the Massachusetts Attorney General decided to file suit against the Rhode Island hospital alleging both violations of HIPAA and the Massachusetts data protection and consumer protection laws.

In a settlement reached over this summer, Women & Infants Hospital of Rhode Island agreed to pay $150,000 to the Office of the Massachusetts Attorney General to resolve the allegations that it failed to protect the personal information and protected health information of more than 12,000 patients in Massachusetts. Under the terms of the settlement, Women & Infants Hospital has agreed to take steps to ensure future compliance with state and federal data security laws and regulations, including maintaining an up-to-date inventory of the locations, custodians, and descriptions of unencrypted electronic media and paper patient charts containing personal information and protected health information. The hospital also agreed to perform a review and audit of security measures and to take any corrective measures recommended in the review. The hospital will also pay a $110,000 civil penalty, $25,000 for attorney's fees and costs, and a payment of $15,000 to a fund to be used by the Attorney General's Office to promote education concerning the protection of personal information and protected health information and a fund for future data security litigation.

Up until this point, it may have been presumed that state attorneys general, already overtaxed with enforcing the laws of their own states, would not wade into enforcement of a federal law that is already the subject of regular enforcement activity by several federal agencies. However, health care providers in New Hampshire should take note of this Massachusetts case for two reasons. First, HIPAA does not fully preempt state law. If a state law is "more stringent" (in that it provides greater rights and protections for individuals than HIPAA), then state law will prevail and covered entities must comply with both laws. Given the very specific security requirements mandated under the Massachusetts data protection law, health care providers who have occasion to provide treatment to one or more Massachusetts residents should expect that the Massachusetts data protection law will apply to those Massachusetts residents' personal data, even if treatment is provided in New Hampshire. Second, unlike other attempts by the Office of the Massachusetts Attorney General to enforce Massachusetts laws against New Hampshire businesses that do not maintain a physical location in Massachusetts — which attempts have been largely unsuccessful — the HITECH Act gives the Massachusetts Attorney General a right to bring action for a federal claim. This in turn allows the Attorney General's Office to tack state-specific claims on to the suit and seek remedies under both. This significantly increases an organization's exposure for penalties. New Hampshire health care providers of all sizes may find themselves settling claims and paying fines to the Commonwealth of Massachusetts without ever actually doing business there.

If your organization would like additional guidance on whether the Massachusetts data protection law applies to its business, we are here to assist.

.....

The Devine Millimet Healthcare Practice Group offers this free E-Mail Alert service to provide information on recent developments in healthcare law. If you have any questions about this e-mail, or if you know of anyone else who may be interested in receiving these alerts, please send us an email at healthcare@devinemillimet.com.

This is not a legal document nor is it intended to serve as legal advice or a legal opinion. Devine, Millimet & Branch, Professional Association makes no representations that this is a complete or final description or procedure that would ensure legal compliance and does not intend that the reader should rely on it as such.

© Copyright 2014 Devine Millimet & Branch, Professional Association