Hospitals might be surprised to learn that HIPAA violations can not only result in federal fines, but also in fines from more than one state if the breach involves out-of-state residents. Under the HITECH Act, state Attorneys General also have enforcement and fine capabilities, but as states get more into privacy legislation, some states are enforcing their own state privacy regulations to protect their home state residents against out-of-state healthcare organizations and businesses as well.
In July 2014, the Massachusetts’ AG announced a consent judgment for $150,000 with a Rhode Island hospital over a breach of more than 12,000 Massachusetts residents’ health records under an action based on state privacy regulations and HIPAA. The action cited “deficient” employee training and internal policies the allegedly delayed discovery of the breach and reporting.. The terms also reportedly included the hospital hire an outside firm to audit compliance and inventory all locations and custodians of all unencrypted electronic media and patient charts. No cost estimate was placed on the compliance program.
The alleged breach occurred in 2011 when 19 backup tapes containing records for the hospitals two prenatal clinics — one located in Massachusetts — were misplaced. The breach was discovered in early 2012 but not reported until the fall of 2012.
The states of Massachusetts, California, Florida, and Texas have been leaders in aggressive privacy laws and enforcement. HIPAA covered entities should review their data breach response plans to update them for these states specifically and especially if they are in border areas. Many consultants recommend that covered entities and business associates anticipate they will be held to compliance standards in any out-of-state venue where patients reside and be prepared to respond even in non-contiguous states.
COMMENT: Hospitals, clinics, providers, and business associates should review their insurance coverage for adequate “cyber” coverage for HIPAA, privacy, and confidentiality. The rapid explosion of privacy claims and HIPAA fines has moved this exposure into one of the most rapidly growing liability and compliance arenas today, and the source of almost as many questions as EMTALA on this site.