Last week, the Connecticut Attorney General’s office announced that it had entered into a settlement agreement with the Hartford Hospital and its business associate vendor, the EMC Corporation (EMC), to resolve claims arising from an investigation into the 2012 theft of a laptop containing unencrypted patient information. The hospital and business associate agreed to (1) collectively pay $90,000 to resolve the state-based HIPAA claims and (2) implement or continue new training requirements and other policies in response to the breach.
This case is a good reminder that Section 13410(e) of the HITECH Act gave State Attorneys General the authority to bring civil actions on behalf of state residents for violations of HIPAA. The HITECH Act permits State Attorneys General to obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security Rules.
This case also seems especially noteworthy in light of the recent U.S. Department of Health and Human Services (HHS) Office of the Inspector General’s comments about the relative dearth of HIPAA enforcement activity by the federal HHS Office of Civil Rights, as noted in our recent blog post. As such, this Connecticut AG enforcement action could represent the beginning of a new wave of HIPAA enforcement activity instituted by states Attorneys Generals.