December 19, 2018
In a case of first impression, 12 state Attorneys General have joined together in a multi-state suit against an electronic medical records company in connection with a 2015 data breach. While individual states have increasingly legislated to guard residents’ privacy rights and enforce consumer data privacy, and individual states have advanced federal Health Insurance Portability and Accountability Act (HIPAA) claims, this case represents the first instance where a consortium of states have jointly alleged HIPAA violations and these concerns have been advanced by a non-federal actor.
The body of HIPAA legislation passed in 1996 did not provide for a private cause of action. Historically, this has resulted in HIPAA enforcement that has only occurred at the federal level through the Office of Civil Rights (OCR). Over time, because HIPAA did not provide an enforcement mechanism that individuals or states could employ in response to perceived violations, states began legislating state-based consumer and data privacy laws that were similar but not always identical to the standards and protections provided by federal HIPAA legislation. These laws were the state analogs or derivative of HIPAA, thus allowing individual states to enforce protections of residents in state courts by state Attorneys General.
As part of the American Recovery and Reinvestment Act of 2009, the federal government passed The Health Information Technology for Economic and Clinical Health (HITECH) Act. Among other provisions, the HITECH Act provided the legal authority for state Attorney Generals to sue on behalf of state residents for alleged violations of HIPAA protections in lieu of the OCR serving as the enforcement authority.[i] Although states have held this authority for almost a decade and individual state Attorney Generals have filed HIPAA enforcement actions, this suit is the first instance of state Attorneys General joining together to pursue a multi-state civil action against an alleged breaching entity pursuant to HIPAA’s HITECH provisions instead of relying solely on alleged violations of state-based privacy statutes. This joint enforcement strategy affords the state Attorney Generals the opportunity to file in federal district court (versus filing in state court to enforce a HITECH Act claim).
HIPAA – No Private Right of Action
The HIPAA regulations do not provide a private cause of action. Thus, patients and non-federal actors cannot sue a HIPAA Covered Entity or Business Associate for a HIPAA violation even where the rules have been squarely violated. However, patients and other aggrieved entities are directed to file complaints with the federal government through the OCR portal.
The OCR investigates these complaints and may take actions against Covered Entities or Business Associates where HIPAA rules have been violated. Dependent upon the nature of the violation, the number of individuals impacted, whether there have been repeated violations of HIPAA provisions, and other factors – violating parties can face penalties including fines and corrective action plans. OCR resolves many complaints through voluntary compliance; however, complaints may be referred to the Department of Justice to pursue the cases criminally.
2009 HITECH Act Gives State Attorneys General The Power to Enforce Privacy Rights Under HIPAA
It was not until 2009 that the states were given the authority to prosecute HIPAA Privacy and Security Rule breaches affecting residents of their respective states. The HITECH Act (Section 13410(e)) gave state Attorneys General the power to file civil actions (on behalf of state residents) for violations of HIPAA Privacy and Security Rules. State Attorneys General are also permitted to obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and/or Security Rules. Permitting state Attorneys General to sue under HIPAA (HITECH) allowed for greater prosecutorial flexibility in prosecuting and harsher penalties. This legal mechanism of pursuing breaching parties falls under the auspices of improved enforcement. Congress believed that increasing the number of regulators would strengthen compliance with the HIPAA Privacy and Security Rules. It is arguable whether the goal of strengthened compliance has been met, but clearly states can and have used this tool to successfully pursue pecuniary and injunctive relief on behalf of their citizens.
The Instant Case: Alleged Breach by Medical Informatics Engineering, Inc.
Medical Informatics Engineering, Inc. (MIE) is an Indiana medical software company that operates a communication network allowing healthcare providers to transmit and share patient related electronic communications. Between May 7, 2015 and May 26, 2015, hackers infiltrated the MIE system and accessed patient names, mailing, and email addresses, dates of birth, some social security numbers, lab results, dictated reports, and medical conditions on the alleged inadequately protected computer systems of MIE. MIE became aware of the suspicious activity on one of its servers on May 26, 2015, and immediately began investigating the attack to identify and remediate the vulnerability. In June of 2015, MIE announced the sophisticated cyberattack and reported to the federal government that the electronic Protected Health Information of 3.9 million people was compromised. MIE contacted and mailed notice letters to affected clients in June of 2015 and mailed notice letters to affected individuals in July of 2015.
A Brief Evolution of HIPAA and Privacy Law Enforcement and Future Considerations
Shortly after Congress passed HITECH in 2009, Connecticut’s Attorney General Richard Blumenthal became the first state Attorney General to utilize HITECH’s permissive stance on Attorneys General advancing federal HIPAA claims by filing and ultimately settling a complaint against Health Net (a subsidiary of UnitedHealth Group Inc.). The claim arose from the loss of a hard drive which contained the names, addresses, social security numbers, protected health information, and various financial information for two million persons, 500,000 of which were Connecticut residents.[ii]
In 2014, another notable state Attorney General HIPAA enforcement case occurred when Massachusetts reached across state lines to sue the Women & Infant’s Hospital of Rhode Island[iii] for a 2012 breach that affected 12,000 Massachusetts residents. In this case, computer backup tapes containing the protected health and financial information of over 14,000 people were lost or stolen and, allegedly, the Women & Infants Hospital failed to notify the victims of the breach in a timely manner. Interestingly, in this case, the Attorney General of Massachusetts included both state and federal violations in its complaint, but because neither Massachusetts nor Rhode Island state law clearly defined the period for “timely notification”, the federal standard was easier to prove as the definition of “timely notification” is clearly spelled out.[iv]
In the instant case, a case of first impression for the collective efforts of multiple states, the civil suit was filed in the US District Court for the Northern District of Indiana (where MIE is incorporated and located). The 12 state Attorneys General brought state-based consumer data and privacy claims alongside the HIPAA/HITECH claim against the defendant, MIE. Aggregating the state-based claims with the federal claims provides no less than 28 separate causes of action under HIPAA, Deceptive Acts, Data Breach, and PIPA legislation. This joint litigation is a novel method to pool the resources of numerous prosecuting authorities to confront an alleged bad actor with what may be overwhelming legal resources.
Not dissimilar to the immense growth of qui tam litigation over the last few years where private entities stand in place of federal prosecutors (most often to advance False Claims Act cases), it is possible that this case represents the future of HIPAA enforcement and a shift to state-based enforcement of federal HIPAA protections. In today’s data privacy landscape (including discussion of a federal data privacy framework), it is not unreasonable to think that multi-state enforcement actions by Attorneys General may become a favored approach for consumer protection. This trend is not unprecedented; it aligns with the enforcement and application of many other federal healthcare practices. For example, most violations of patient safety issues involving Medicare beneficiaries are investigated by state Departments of Public Health rather than CMS itself. Further, CMS has delegated the judgment of deemed status to healthcare organizations that receive the Joint Commission’s or other accrediting bodies’ seal of approval.
Since the number and size of data breaches continue to grow and personal information contains more than just health information, it seems logical and likely that the states will continue to exercise their joint and several rights provided under HITECH and other laws to wrap state and federal claims into larger and more sophisticated lawsuits.
The lawsuit is a clear reminder that HIPAA Covered Entities and Business Associates (and any other organization that collects or holds any type of protected information) need to create a plan to address the myriad of applicable data protection laws, lest the collective enforcement efforts of the states become a very real problem in the event of a breach. The government, at both the federal and state level, is continually pursuing heightened means of enforcing data privacy and security laws.
[i] The American Recovery and Reinvestment Act of 2009 (ARRA), Public Law 111-5, 123 Stat 115 §13410(e) (February 17, 2009). (e) ENFORCEMENT THROUGH STATE ATTORNEYS GENERAL.— (1) IN GENERAL.—Section 1176 of the Social Security Act (42 U.S.C. 1320d–5) is amended by adding at the end the following new subsection: ‘‘(d) ENFORCEMENT BY STATE ATTORNEYS GENERAL.— ‘‘(1) CIVIL ACTION.—Except as provided in subsection (b), in any case in which the attorney general of a State has reason to believe that an interest of one or more of the residents of that State has been or is threatened or adversely affected by any person who violates a provision of this part, the attorney general of the State, as parens patriae, may bring a civil action on behalf of such residents of the State in a district court of the United States of appropriate jurisdiction— ‘‘(A) to enjoin further such violation by the defendant; or ‘‘(B) to obtain damages on behalf of such residents of the State, in an amount equal to the amount determined under paragraph (2)
[iv] 45 CFR 164.404(b) (HIPAA provides that individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach).