Contributed by Lee Kim, Esquire
lkim@tuckerlaw.com or 412.594.3915
Connecticut Attorney General, Richard Blumenthal, as parens patriae for the State of Connecticut and on behalf of the State of Connecticut, sued Health Net of the Northeast, Inc. (“Health Net”) for multiple HIPAA violations. In a nutshell, Mr. Blumenthal stated in a press release, “The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable… Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months – most likely by thieves – before Health Net notified appropriate authorities and consumers.” See press release. (last accessed January 19, 2010).
According to the complaint (last accessed January 19, 2010), Health Net allegedly learned on or about May of 2009 that a portable disk drive, which contained protected health information (“PHI”), social security numbers, and bank account numbers for about 446,000 past and present Connecticut enrollees and 27.7 million scanned pages of documents, disappeared from Health Net’s Shelton, Connecticut office.
The complaint further alleges that Health Net, knowing that protected health information was subject to stringent privacy and security provisions of HIPAA, delayed and otherwise failed to properly and timely notify the Connecticut Attorney General’s Office or any other Connecticut government authorities regarding the missing PHI. According to the complaint, Kroll Inc., a computer forensic consulting firm retained by Health Net, indicated that the data on the portable drive was not encrypted or otherwise protected from access and viewing by unauthorized persons or third parties and viewable through the use of commonly available software.
Connecticut residents whose PHI was or was reasonably believed to have been accessed by an unauthorized person as a result of the data breach were not notified about the breach until a posting of a notice on its website on November 18, 2009 and by way of letters sent to these individuals starting November 30, 2009 as alleged by the complaint.
The following is a summary of what is required under the HIPAA Security Rules (and which the above-referenced complaint alleged that Health Net failed to satisfy):
1. Technical Safeguards (Required).
Access Control.
The HIPAA Security Rules require that an entity control access to PHI so that only authorized personnel can access it.
Encryption.
Encryption may be implemented to further secure the PHI under the Security Rules so that unauthorized persons may not have access to the PHI.
2. Administrative Safeguards (Required).
Policies and procedures must be implemented to reasonably safeguard PHI so that unauthorized persons may not have access to the PHI including policies and procedures to prevent, detect, contain, and correct security violations involving PHI. In particular, this involves PHI that is created, received, maintained, or transmitted.
The workforce, including employees and independent contractors, must be effectively supervised and trained to comply with the requirements of the HIPAA Security Rule which has the overall objective to ensuring that no unauthorized persons have access to PHI. The supervision and training must be necessary and appropriate for members of the workforce to carry out their respective functions and maintain security of PHI.
Once a security incident is identified or suspected, the entity must mitigate, to the extent practicable, the harmful effects of such incidents.
3. Physical Safeguards (Required).
Policies and procedures must be implemented with regard to the receipt and removal of hardware and electronic media that contain electronic PHI into and out of a facility and the movement of items within a facility.
Please feel free to contact me if you would like assistance in applying the HIPAA Security Rules to your current situation as a covered entity or a business associate. I may be reached at lkim@tuckerlaw.com or by calling 412-594-3915.