Health Data Coding Error Costs Inmediata $1.4 Million with AGs

Beth Chun, Caroline Schmitz, Paul Singer, Abigail Stempson
Kelley Drye & Warren LLP
Contact
LinkedIn
Facebook
X
Send
Embed

We posted just last week about the Blackbaud multistate settlement, and as we have discussed, health privacy remains a hot topic and is already back in the news. On October 17th, 33 AGs led by Indiana, announced a multistate settlement in the form of a judgment with a Puerto Rico-based health care clearinghouse, Inmediata, for what the AGs alleged was a failure to appropriately safeguard data and a delayed and flawed notification to consumers of a coding issue. As a result, the states said protected health information (PHI) of approximately 1.5 million consumers was exposed to public online searches for almost three years. The AGs alleged, among other things, violations of the Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule and its Breach Notification Rule.

Although the U.S. Department of Health and Human Services’ Office for Civil Rights is the most well-known enforcer of HIPAA compliance, state AGs have played a growing role in enforcing compliance with HIPAA’s Rules. In 2009, the Health Information Technology for Clinical and Economic Health (HITECH) Act authorized state AGs to bring civil actions on behalf of state residents impacted by violations of the HIPAA Privacy and Security Rules, as well as its Breach Notification Rule. The Connecticut AG was the first to exercise this enforcement right in 2010 against Health Net Inc. for a security breach involving private medical records and financial information. While much attention has been given to the passage of recent broad comprehensive state privacy laws and those specific to health, such as Washington’s My Health My Data Act and Connecticut’s recent amendments to its data privacy law adding provisions specifically related to health data, it is important to remember that states may also have specific laws that are similar to HIPAA but include more expansive definitions, such as the Texas Medical Records Privacy Act.

Here, the AGs alleged that Inmediata violated HIPAA’s obligations by failing to implement reasonable data security, including failing to conduct a secure code review at any point prior to the breach, and then failing to provide affected consumers with timely and complete information regarding the breach, as required by law. The settlement requires Inmediata to pay a $1.4 million fine, divided among the participating states, and requires the company to implement strong security practices going forward. This is just the most recent example of the increasing activity by state AGs utilizing their HIPAA enforcement authority. We will keep you apprised of any developments in this area as they unfold.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Kelley Drye & Warren LLP | Attorney Advertising

Written by:

Kelley Drye & Warren LLP
Kelley Drye & Warren LLP
Contact
more
less

Kelley Drye & Warren LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide