NY Medical Center Faces HIPAA PenaltyState Attorney General Says Settlement Is 'Warning' to Others
New York's state attorney general has taken action to penalize a hospital and make sure it beefs up training after a nurse practitioner gave patients' information to her future employer without getting the patients' permission, a HIPAA violation.
The University of Rochester Medical Center was fined $15,000 and must carry out a corrective action plan under the terms of the state settlement for the incident, which affected about 3,400 patients.
The move is just the latest in a series of HIPAA enforcement actions that state attorneys general have taken, based on their authority under the HITECH Act. In November, Connecticut's attorney general levied a $90,000 fine against Hartford Hospital and its vendor EMC in the state's latest HIPAA settlement, which was related to a 2012 breach (see State Fines Hospital, EMC After Breach).
The New York settlement requires University of Rochester Medical Center to train its workforce on policies and procedures related to protected patient health information and notify the state attorney general of future breaches, New York Attorney General Eric Schneiderman says in a statement.
"This settlement strengthens protections for patients at URMC, and it puts other healthcare entities on notice that my office will enforce HIPAA data breach provisions," Schneiderman says. "Other medical centers, hospitals, healthcare providers and healthcare entities should view this settlement as a warning and take the time now to review and amend, as needed, their own policies and procedures to better protect private patient information."
In the spring of this year, a URMC nurse practitioner gave a list containing 3,403 patient names, addresses, and diagnoses to her future employer, Greater Rochester Neurology, without first obtaining authorization from the patients, according to the attorney general's statement. On April 21, Greater Rochester Neurology used the information to mail letters to the patients on the list informing them that the nurse practitioner would be joining the practice and advising them of how to switch to the new provider, the statement notes.
A spokesman for the New York attorney general's office declined to comment on whether the state will pursue any enforcement actions against Greater Rochester Neurology in the matter. As for the fine levied against URMC, "there is no maximum HIPAA fine," he says. "The fines, like all penalties, are determined in light of all the circumstances."
URMC did not immediately respond to Information Security Media Group's request for comment.
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says the URMC incident highlights a tricky HIPAA-related dilemma for some clinicians.
"It is often challenging to navigate HIPAA when a healthcare professional changes practices," he says. "From a treatment perspective, healthcare professionals rightfully consider themselves to have an ongoing relationship with their patients and may expect that they can take a patient list with them. But navigating HIPAA can be a challenge, because the patient list arguably belongs to the former employer, not the treating healthcare professional, and HIPAA is unclear as to whether the healthcare professional continues to have a relationship with the patients when changing practices, which is relevant to whether HIPAA permits one practice to disclose the patient list to the other practice."
These issues can be navigated in other ways, such as through appropriate business associate agreements between the practices, he notes, but that requires careful planning and coordination.
"Making matters worse, the HIPAA violation may fall on the practice that didn't even benefit from the communications to the patients - the practice that the healthcare professional left," as was the case in the URMC incident, Greene notes.
Other State Actions
New York is among a handful of states whose attorneys general have pursued HIPAA enforcement cases. Other states that have issued HIPAA-related settlements in breach cases include Connecticut and Massachusetts.
Former Connecticut Attorney General Richard Blumenthal in July 2010 reached a settlement with health insurer Health Net to pay $250,000 and implement a corrective action plan after a breach that affected 1.9 million individuals. That case marked the first time a state attorney general filed a HIPAA civil lawsuit. Since then, Connecticut's AG office has reached HIPAA settlements in "fewer than 10" cases, a spokesman in the state's AG office says.
The largest settlement in Massachusetts so far was a 2012 settlement with South Shore Hospital, which agreed to pay $750,000 to resolve allegations that it failed to protect the information of more than 800,000 consumers in a 2010 data breach.
Other more recent Massachusetts AG actions include a $150,000 settlement with Women and Infants Hospital of Rhode Island; a $100,000 settlement with Beth Israel Deaconess Medical Center in Boston; and a $40,000 settlement with Boston Children's Hospital.