Connecticut AG files HITECH Act Law Suit…holy IT health records enablement!!

For the first time, to my knowledge, there is a lawsuit invoking the new provisions of the HITECH Act — Connecticut Attorney General Richard Blumenthal filed a lawsuit against Health Net for violating HIPAA requirements. HIPAA of all things! One of the oldest info/data protection regulations and one that historically has had no real bite to it (and thus has not been taking as seriously as other regulations like PCI-DSS.)

The law suit came about because last month a portable hard drive was lost or stolen from Health Net and it contained the protected ePHI (electronic protected health information) – things like social security numbers, bank account info, etc. The data on the hard drive included 25 million scanned pages of documents:  insurance claim forms, membership forms, grievances, medical records, etc.  

Naturally, the data was not encrypted. It also wasn’t restricted or protected from access by unauthorized staff. Therefore, the CT AG filed suit claiming that Health Net failed to:

·         Ensure the confidentiality and integrity of ePHI

·         Supervise and train its workforce on policies and procedures regarding ePHI

·         Promptly notify authorities and residents of the breach

How many more of these horror stories are we going to bear? This stuff can be avoided by following some very straight forward and relatively simple procedures. Do business leaders realize how expensive these new HITECH requirements can be — especially with the all-important precedent now set? Think about all the time and money this is going to cost Health Net, not to mention hits to their reputation, the enormous legal fees they’re facing… and what will happen to their insurance rates and policies now?

Is this the event the HIPAA world has finally been waiting for? How many other organizations will face something just like this in the future? Have you implemented policies and procedures to ensure compliance with the HITECH requirements? Have you trained your employees on new requirements (or even the “old” HIPAA requirements) and implemented an ongoing awareness training program?

A survey in November 2009 by ID Experts revealed that 1/3 of business associates were not aware they need to adhere to the new security and privacy requirements – let me repeat that… 1/3 were not even AWARE. The survey also revealed that 50% of hospitals would terminate contracts with business associates for any ePHI violation or not adhering to the standards.

Will these new HITECH requirements be the catalyst for HIPAA? Will the HITECH requirements be the next PCI-DSS? Let me hear from you – what are you doing about this, if anything?