Only two state attorneys general have pursued the authority Congress gave them two years ago to prosecute privacy and security breaches of health information — despite training from federal agencies and a consensus among privacy groups that enforcement needs to improve.
The authority to initiate such cases had previously belonged only to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), which was directed to protect private patient information by the 1996 Health Insurance Portability and Accountability Act (HIPAA). The expansion of jurisdiction to state attorneys general was awarded in concert with a $27 billion stimulus program initiated in 2009 to reward health care providers for switching from print to computerized health records.
The idea behind permitting attorneys general to sue under HIPAA was to give the regulation some teeth. The consensus among privacy and legal experts is that HIPAA enforcement has historically never held much weight among federal prosecutors. State attorneys general can now bring civil privacy cases to federal district court and can seek injunctive relief, statutory damages and attorneys fees. Congress believed that increasing the number of regulators by fifty-fold might improve provider compliance and reassure the public that health information would stay safe in the digital sphere. Since then, though, only former Connecticut Attorney General Richard Blumenthal and Vermont Attorney General William Sorrell have used the new power.
Experts blame a variety of factors for the apparent disinterest — the newness of the law, state budget constraints, conflicting priorities, even high rates of HIPAA compliance by health care providers. They also believe state attorneys general may have chosen to prosecute such cases under state privacy and security laws rather than the federal HIPAA law.
HIPAA’s aim is to give patients control of their own health information and protect their privacy by specifically limiting the ways doctors, hospitals, health plans, pharmacies and other health providers can use patients’ personally identifiable medical information. HIPAA also sets guidelines for the security of that information.
The 2009 amendment to the HIPAA law was enacted within the Health Information Technology for Economic and Clinical Health (HITECH) Act — part of President Barack Obama’s $787 billion economic stimulus plan — which rewards doctors, hospitals and clinics for switching to digitized medical records.
Lawmakers reasoned that without updated HIPAA rules and oversight, people’s private information could fall victim to hackers or groups interested in tracking medical decisions for financial gain — behaviors that were less of a concern when health records were produced only on paper.
The new rules say health providers must within 60 days notify individual patients, the government and the media if the security of their health systems has been breached as part of a case in which 500 or more people have been victimized. The rules also say that “business associates” who work with health care providers, such as outside billers and health care consultants, are also subject to HIPAA.
Neither business associates nor health care providers are allowed to sell protected health information.
State attorneys general now have the authority to bring civil actions on behalf of state residents in cases where they are threatened or adversely affected by these violations. After receiving a complaint from a resident and conducting an investigation, an AG can sue in federal district court to obtain monetary damages on behalf of state residents or to enjoin further violations of HIPAA. The damages are limited to $25,000 in a calendar year, at up to $100 per violation.
States are supposed to notify the HHS secretary before bringing such a suit, since a pending l suit by federal agencies would bar any state action.
No climb in enforcement
The expansion of authority to state attorneys general in part reflected a general disappointment among privacy groups in federal performance regarding HIPAA violations.
“There has been a perception for a while now in the industry that there hasn’t been very aggressive enforcement,” said Lisa Gallagher, senior director of privacy and security at the Healthcare Information and Management Systems Society (HIMSS), a nonprofit that promotes understanding and use of health information technology.
“That was the message that Congress received, so that’s why they put the provisions in there.”
Pam Dixon, executive director at the World Privacy Forum, said HHS “has a woeful track record on bringing robust administrative enforcement actions.”
Leon Rodriguez, OCR director, said before HITECH the agency was limited in its ability to impose civil monetary penalties. The amendment increased the penalties from a maximum of $25,000 to a tiered range between $100 and $50,000 for each violation, with a maximum of $1.5 million, if the action is pursued by federal agencies.
“Since HITECH, HHS’ Office of Civil Rights sent a clear message that it is serious about enforcement of HIPAA’s Privacy Rule,” he said.
Over the course of 2009 and 2010, the HHS Office for Civil Rights received more than 16,000 complaints of security and privacy violations. The office determined that about 7,500 of those warranted an OCR inquiry. In almost all of those cases, OCR pushed for and obtained voluntary compliance from the provider or contractor through some sort of corrective action. Over 2009 and 2010, OCR referred 35 cases to the Justice Department for criminal investigation.
Jeffrey Drummond, an attorney who represents hospitals and other health care providers for the Texas firm Jackson Walker LLP, said he thinks the medical community is generally cautious about maintaining confidentiality and privacy, and that many complaints filed to OCR do not fall under HIPAA. “Is it a lack of regulatory teeth — or a lack of problems that need to be regulated?” he said.
Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, a nonprofit civil liberties group, said the provider organizations she works with care about being compliant with the law, but noted HIPAA rules are complicated.
She said it was a mistake to assert with confidence that everyone is compliant with the law. “It is best to say that most want to and do their best, but some people will be careless,” she said.
HIPAA and the States
One of the reasons for the lack of HIPAA enforcement on the AGs’ side is that states may choose to go through their own consumer protection statutes and privacy laws.
Broad statistics on pursuit of such cases under state law are hard to come by. But there are some examples. Indiana Attorney General Greg Zoeller, for instance, recouped $100,000 this July from insurance provider Wellpoint Inc., after it violated state law by failing to report in a reasonable amount of time that a data breach of its system had exposed the information of more than 32,000 residents.
But only two attorneys general have taken action using the new federal authority provided them.
Connecticut was the first. Then-Attorney General Blumenthal, who is the brother of former federal health information technology chief David Blumenthal, sued insurance provider Health Net Inc. last year for waiting six months to provide notification of a missing disk drive that contained unencrypted protected health information, social security numbers and bank accounts for nearly half a million Connecticut enrollees.
Connecticut officials said HHS worked with them diligently on the case, and that Health Net agreed to pay $250,000 in civil penalties.
That particular security breach affected 1.5 million people nationwide. Vermont Attorney General William Sorrell also went after Health Net for the same violation, which exposed information of 525 enrollees there. The company settled with Vermont this January for $55,000 and is submitting to data-security audits. It must also file security reports with the state during the next two years.
Both states used state laws and HIPAA to make their cases, but Vermont’s case also included a consumer fraud angle, said Assistant Attorney General Sarah London, because Health Net made misleading statements to consumers regarding their risk of harm.
A spokesman for Health Net wrote told iWatch News in an email that the company cooperated fully with the attorneys general in Connecticut and Vermont to bring the matters to resolution.
HHS declined to comment on the modest state use thus far of the HIPAA enforcement authority, saying it could not speak for the individual attorneys general. But experts say resource constraints are the main problem; states are reeling from billions of dollars in budget and staff cuts brought on by the recession. The federal government does not assist state attorneys general financially in taking on HIPAA cases.
An aide to Democratic Rep. Henry Waxman from California, who authored the HITECH amendment, said states may have restrictive budgets that are now hindering their ability to prosecute, and added that over time “we hope that this provision will help enforce privacy laws.”
McGraw of the Center for Democracy and Technology also noted that states may be hesitant to move on such cases because of the limited monetary damages that could be recouped for HIPAA violations. “In a time of tight state budgets, are you going to devote your resources for such a low threshold, or are you going to use your resources to catch bigger fish?” she asked.
Even so, some legal authorities expressed surprised at the low number of prosecutions because of the potential for HIPAA cases to garner media attention for elected officials.
Michael Kline, an attorney at Fox Rothschild LLP in New Jersey who blogs about HIPAA, said attorneys general would likely be recognized for going after what he called “big bad faceless insurance companies.”
The general strategy appears to have had some political impact for Blumenthal, who was elected to the U.S. Senate shortly after the HIPAA case was resolved in Connecticut.
“Attorneys general are elected, and they like to be re-elected,” Drummond said, adding that HIPAA cases could allow them to be perceived “as champions of the downtrodden helping the common man.”
OCR held four two-day seminars across the country this year to help inform state attorneys general about their enforcement rights. Rodriguez from OCR said his office would continue providing them with computer-based training and technical assistance.
The National Association of Attorneys General has not offered training or seminars on the power afforded to its members, nor does it keep track of the cases. Leading privacy and consumer groups, including the Center for Democracy and Technology, World Privacy Forum and Privacy Rights Clearinghouse, also have not reached out to state attorneys general to make them aware of the provisions, though officials from each organization said they thought enforcement numbers should be higher.
“We should be seeing much more enforcement from state attorneys general,” said Dixon from World Privacy Forum. “Given the continuing lackluster administrative enforcement of HIPAA, states will need to take the lead on this. When and if the states do this, we may see a greatly improved enforcement landscape overall.”
McGraw agreed. “I’d like to see more enforcement and I’d like to see more guidance,” she said.
Connecticut Attorney General George Jepsen, who succeeded Blumenthal, told iWatch News that privacy issues will mushroom as more health care data is available through the Internet.
“A year ago I would not have put privacy in the top five issues I would be facing as attorney general,” he said, “but it has certainly worked out that way.
“Scarcely a month goes by with out some sort of privacy breach.”
The state is currently investigating another case that could fall under HIPAA, in which an employee from Midstate Medical Center lost an external hard drive containing the information of more than 90,000 people.