Share this article on:
An announcement has been made by the Office of the Massachusetts Attorney General that a settlement has now been reached with South Shore Hospital. The healthcare provider will be required to pay a fine of $750,000 for violations of the state Consumer Protection Act (Massachusetts General Law Chapter 93A) and also violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The settlement was reached for the accidental exposure of Protected Health Information and for failing to securely erase ePHI. The violation occurring when three backup tapes containing unencrypted ePHI were accidentally sent to a data archiving company to be erased and resold; however that company was not informed of the contents of the tapes. Two of those tapes were subsequently lost and have not been recovered.
The Attorney General’s investigation revealed that a number of errors had been made by the hospital. The hospital had failed to obtain a signed business agreement and did not determine whether its choice of data company complied with HIPAA regulations.
The passing of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 gave Attorney Generals more power to take action against organizations that violate data privacy and security laws. New powers were provided to assist the Office for Civil Rights with the policing of HIPAA regulations. However, not all State Attorney Generals’ Offices have been quick on the uptake. Only Vermont and Connecticut, and now Massachusetts, have so far taken legal action against healthcare organizations that have breached HIPAA regulations.
The latest lawsuit is only the third to be filed, even though State Attorney Generals Offices receive a share of the settlements issued. So far, the HHS has supported this extra policing of HIPAA and has even provided computer based training and it also provided assistance in the lawsuit filed by Connecticut AG.
Healthcare providers, health plans and business associates should take notice of these three lawsuits which could now be viewed by Attorney General’s Offices nationwide as a way of both increasing funding and showing that data privacy and security is treated with the utmost seriousness in their state.
The possibility of AG lawsuits and an increased number of audits by the Office for Civil Rights mean that healthcare organizations must ensure data privacy and security policies are up to date, that business agreements exist for all associates and a proactive stance is taken to improve data privacy and security. Lapses and non-compliance issues can prove to be very costly.