An official announcement has been released by the Office of the Massachusetts Attorney General that a settlement has now been agreed with South Shore Hospital.
The healthcare supplier will have to pay a fine of $750,000 for violations of the state Consumer Protection Act (Massachusetts General Law Chapter 93A) and also breaching the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The settlement was agreed for the accidental exposure of Protected Health Information and for failing to securely delete ePHI. The violation heppening when three backup tapes storing unencrypted ePHI were accidentally sent to a data archiving company to be deleted and resold; however that company was not made aware of the contents of the tapes. Two of those tapes were then lost and have not been located.
The Attorney General’s investigation showed that a number of mistakes had been made by the hospital. The hospital had did not obtain a signed business agreement and did not find whether its choice of data company complied with HIPAA regulations.
The passing of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 allowed Attorney Generals more power to take action against organizations that breach data privacy and security laws. New powers were given to help the Office for Civil Rights with the policing of HIPAA regulations. However, not all State Attorney Generals’ Offices have been quick to apply these. Only Vermont and Connecticut, and now Massachusetts, have so far taken legal action against healthcare organizations that haveviolated HIPAA regulations.
The latest lawsuit is only the third to be submittedd, even though State Attorney Generals Offices receive a share of the settlements issued. To date, the HHS has supported this extra policing of HIPAA and has even provided computer based training and it also provided support in the lawsuit filed by Connecticut AG.
Healthcare suppliers, health plans and business associates should take notice of these three lawsuits which could now be seen by Attorney General’s Offices nationwide as a way of both increasing funding and showing that data privacy and security is treated with the utmost seriousness in their state.
The chance of AG lawsuits and a higher number of audits by the Office for Civil Rights mean that healthcare organizations must ensure data privacy and security policies are current, that business agreements exist for all associates and a proactive stance is taken to improve data privacy and safety. Lapses and non-compliance issues can prove to be very expensive.