Blog: Hospital and Vendor Reach Agreement to Settle Alleged HIPAA Violations with Connecticut AG

Cooley LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Last week, the Connecticut Attorney General (the “Connecticut AG”) announced that Hartford Hospital and its subcontractor, EMC Corporation (“EMC”), agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  The entities will collectively pay a $90,000 penalty and also sign an Assurance of Voluntary Compliance (an “AVC”).

The Connecticut AG first learned of the potential HIPAA violations upon receipt of notification from Hartford Hospital in July 2012.  Hartford Hospital informed the Connecticut AG that it had retained EMC as a subcontractor to assist with a quality improvement project, and a laptop containing the unencrypted Protected Health Information (“PHI”) of over 8,000 Connecticut residents had been stolen from an EMC employee’s home.  Hartford Hospital maintained that there was no evidence that any of the PHI had been misused, although the laptop was not recovered.

Investigation of the incident revealed that both Hartford Hospital and EMC had some HIPAA deficiencies.  They had not entered into a Business Associate Agreement (“BAA”) with one another, and both parties were lacking certain required policies and procedures.  Pursuant to the AVC, both parties will augment their HIPAA compliance programs.  For example, Hartford Hospital will implement corrective action regarding its vendor contracting process and also agreed to encrypt certain files containing PHI.  EMC similarly agreed to establish policies regarding encryption and proper storage of PHI.  Both parties will implement additional workforce training regarding HIPAA, as well as general privacy and security.

State attorneys general became authorized to enforce HIPAA via the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) of 2009, and this settlement is the latest example of a state official exercising this authority.  It is also notable because, although most HIPAA enforcement to date has focused on Covered Entities, this settlement involves both a Covered Entity and a Business Associate. 

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cooley LLP | Attorney Advertising

Written by:

Cooley LLP
Cooley LLP
Contact
more
less

Cooley LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide