This week we are having a special guest lecturer come in and discuss the Health Information Technology for Economic and Clinical Health (HITECH) Act, HIPAA, and how the Massachusetts encryption regulations are affecting the medical industry. Ahead of his lecture, I thought I’d share some groundbreaking news about the first HITECH case to be filed, and finished, by a state.
A Connecticut case, which was the first action by a state attorney general under the HITECH Act to enforce provisions of HIPAA, has resulted in $375,000 fine. Connecticut Insurance Commissioner Sullivan announced on Nov. 8th that Health Net of Connecticut, Inc. had agreed to pay the fine for failing to safeguard the personal information of its members. The penalties were part of a large settlement agreement. The agreement also requires Health Net to provide credit monitoring protection for two years to all affected members and providers in Connecticut.
The case was filed as a result of a lost or stolen external hard drive. The drive contained medical claims and financial information of nearly 1.5 million Health Net customers, including approximately 500,000 Connecticut residents and had “disappeared” in May 2009.
In addition to the HITECH violation, the original complaint also alleges a violation of Connecticut’s breach notification statute. As you recall from class, forty-six states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. You can see the updated list and the links to the state statutes here.