The new pri­vacy po­lice

Conn. cited as first to sue un­der new au­thor­ity

Modern Healthcare - - The Week In Healthcare - Re­becca Ve­sely

States are beginning to po­lice health in­for­ma­tion pri­vacy breaches un­der new au­thor­ity pro­vided by the fed­eral stim­u­lus law. Dig­i­tal pri­vacy ex­perts ap­plaud the move, say­ing states—al­ready charged with de­fend­ing con­sumer pro­tec­tions—are well-suited to the job.

In what is widely agreed to be the first such case, last week Con­necti­cut At­tor­ney Gen­eral Richard Blu­men­thal filed a civil law­suit against Health Net al­leg­ing the health in­surer failed to se­cure the pa­tient med­i­cal records and fi­nan­cial data of 446,000 mem­bers or promptly no­tify cus­tomers of the se­cu­rity breach.

Blu­men­thal is ex­er­cis­ing new au­thor­ity un­der the Amer­i­can Re­cov­ery and Rein­vest­ment Act, known as the stim­u­lus law, which Pres­i­dent Barack Obama signed into law in Fe­bru­ary 2009.

Un­der that law, states can pros­e­cute vi­o­la­tors of the Health In­sur­ance Porta­bil­ity and Ac­count­abil­ity Act of 1996. Pre­vi­ously, only fed­eral au­thor­i­ties could pur­sue HIPAA vi­o­la­tions. State at­tor­neys gen­eral have pur­sued health in­for­ma­tion pri­vacy breaches in the past, most notably in Cal­i­for­nia and New York, but un­der state con­sumer pro­tec­tion laws.

“This is a huge step for­ward,” said Deven McGraw, di­rec­tor of the Health Pri­vacy Project at the Cen­ter for Democ­racy & Tech­nol­ogy, a civil lib­er­ties group based in Wash­ing­ton. “At­tor­neys gen­eral are con­sumer watch­dogs; I say ku­dos to them.”

In May 2009, Health Net learned that a por­ta­ble com­puter disk drive con­tain­ing the health in­for­ma­tion, So­cial Se­cu­rity num­bers and bank ac­count num­bers of nearly half a mil­lion past and present en­rollees had dis­ap­peared. The miss­ing drive in­cluded 27.7 mil­lion scanned pages of more than 120 types of doc­u­ments, in­clud­ing claims forms, ap­peals, griev­ances, cor­re­spon­dence and med­i­cal records, ac­cord­ing to Blu­men­thal’s com­plaint. The data was not en­crypted or oth­er­wise pro­tected from view­ing.

Six months af­ter learn­ing of the breach, Health Net posted a no­tice on its Web site and be­gan no­ti­fy­ing af­fected con­sumers by mail on Nov. 30, 2009, ac­cord­ing to the com­plaint.

Health Net, which is based in Wood­land Hills, Calif., sold its North­east busi­ness to Unit­edHealth Group and Ox­ford Health Plans— a unit of Unit­edHealth— in De­cem­ber. Those two com­pa­nies are also named in the law­suit be­cause they are the cur­rent own­ers.

“The stag­ger­ing scope of the data loss, and de­lib­er­ate de­lay in dis­clo­sure, are legally ac­tion­able and eth­i­cally un­ac­cept­able,” Blu­men­thal said in a writ­ten state­ment. “Even more alarm­ing than the breach, Health Net down­played and dis­missed the dan­ger to pa­tients and con­sumers.”

In a writ­ten state­ment, Health Net said there is no ev­i­dence that the data has been mis­used. The com­pany is re­view­ing the law­suit and said that “pro­tect­ing the pri­vacy of our mem­bers is ex­tremely im­por­tant to us.” The com­pany of­fered two years of free cred­it­mon­i­tor­ing to af­fected mem­bers and $1 mil­lion of iden­tify-theft in­sur­ance, ac­cord­ing to the state­ment. No ev­i­dence has sur­faced that any mem­ber ex­pe­ri­enced iden­tity theft af­ter the May in­ci­dent, ac­cord­ing to the state­ment, and Health Net prom­ises free as­sis­tance to any mem­ber who does.

Blu­men­thal is seek­ing civil penal­ties un­der HIPAA. Those penal­ties, up­dated through the stim­u­lus law, can­not ex­ceed $1.5 mil­lion per year.

Pa­tient in­for­ma­tion breaches are not un­com­mon.

Just last week, Blue Cross and Blue Shield of Ten­nessee dis­closed that the per­sonal in­for­ma­tion of an es­ti­mated 500,000 mem­bers is at risk af­ter 57 hard drives were stolen from a leased fa­cil­ity in Chat­tanooga in Oc­to­ber.

The hard drives con­tained au­dio and video files re­lated to care co­or­di­na­tion and recorded el­i­gi­bil­ity phone calls from providers and mem­bers. The files con­tained mem­ber names and Blues ID num­bers and some di­ag­nos­tic in­for­ma­tion, dates of birth and So­cial Se­cu­rity num­bers, the Ten­nessee Blues said.

As of Jan. 7, some 220,000 mem­bers had been iden­ti­fied as be­ing at risk of hav­ing their name, So­cial Se­cu­rity num­ber, date of birth and ad­dress ex­posed. About 157,500 have been no­ti­fied by mail of the breach. Th­ese cus­tomers have been of­fered one year of free credit-mon­i­tor­ing and iden­ti­tytheft coun­sel­ing.

There’s no ev­i­dence that mem­ber data has been ac­cessed or used, the Chat­tanooga, Tenn.-based in­surer said.

A call to the Ten­nessee at­tor­ney gen­eral’s of­fice was not re­turned by dead­line.

And in one of the first crim­i­nal cases un­der HIPAA, ear­lier this month, the U.S. at­tor­ney’s of­fice in Los An­ge­les and the FBI an­nounced a plea agree­ment in the case of a med­i­cal re­searcher at UCLA Health Sys­tem who peeked at the med­i­cal records of co-work­ers and celebri­ties. He faces a max­i­mum term of four years in fed­eral prison and will be sen­tenced on March 22.

To help con­sumers be­come more comfortable with on­line med­i­cal-record keep­ing, McGraw said, au­thor­i­ties must be more assertive in in­vok­ing their au­thor­ity avail­able un­der HIPAA.

“Con­sumers will be bet­ter off if more peo­ple are keep­ing an eye on it,” McGraw said.

“The stag­ger­ing scope of the data loss, and de­lib­er­ate de­lay in dis­clo­sure, are legally ac­tion­able and eth­i­cally un­ac­cept­able,” Blu­men­thal said in a writ­ten state­ment.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.