The November 2019 issue of the Connecticut Medicaid Program’s Provider Quarterly Newsletter urges providers and their trading partners to routinely review and monitor “user roles” and levels of access that their representatives have to information exchanged with the Medicaid program. The Newsletter additionally recommends deactivation and removal of staff access of those separated from employment. A reminder to report all suspected protected health information (PHI) breaches and related incidents immediately and to develop and maintain training for staff on HIPAA compliance comprises the balance of the advice contained in the Connecticut Department of Social Services’ publication.

Those not already familiar with HIPAA’s breach reporting requirements, may wish to read the Submitting Notice guidance on the United States Department of Health and Human Services’ (HHS) website. Additionally, the Connecticut Attorney General’s website identifies reporting obligations that pertain to security breaches involving computerized data and not just PHI. Reporting requirements for PHI and other data breaches can arise under federal and state law as well as by contract. The full extent of notification responsibilities may depend on a variety of factors including the law of other states where patients may reside. Accordingly, providers and other covered entities are well advised to consult with an attorney and consider notifying their insurance company as well when confronted with a known or suspected data breach.

Attention to maintaining privacy and security of PHI could be more important than ever as new proposed rules covering the sharing of penalties by federal authorities with patients harmed by HIPAA violations may be issued in the new year. Currently, settlements with the HHS Office for Civil Rights result in payments to the government only and not patients. Private data breach lawsuits, sometimes brought as class actions, may follow or precede government action. In Connecticut one can bring a private cause of action for money damages for harms suffered as a result of unauthorized release of confidential information under the Connecticut Supreme Court’s decision in Byrne v. Avery Center for Obstetrics and Gynecology, P.C. The Connecticut Attorney General and Connecticut Commissioner of Consumer Protection actively prosecute actions when significant data breaches occur. Breaches may also lead to penalties imposed on licensees as a result of complaints to the Connecticut Department of Public Health.

In this environment and with an anticipated push at the federal level to expand a patients’ ability to control the use or disclosure of their PHI and to access PHI, providers and other custodians of PHI should be more motivated than ever to shore up their HIPAA practices as 2019 comes to a close and as the rules governing electronic health records continue to grow and evolve.