State Lawsuit a Sign of TimesConnecticut case may be tip of iceberg
Under the HITECH Act, state attorneys general now can bring a civil action in federal court for violations of healthcare security and privacy rules.
The Connecticut case, filed Jan. 13 against Health Net, likely is the start of a wave of state cases to come, predicts security consultant Kate Borten of the Marblehead (Mass.) Group. "Enabling state attorneys general to enforce the HIPAA rules is a powerful tool," she says.
More complaints ahead?
More consumers are likely to file complaints at the state level rather than attempt to navigate through the federal bureaucracy, she argues. "We'll see many more complaints now, and we'll see states taking a big role in enforcement," she predicts.
Until now, many smaller healthcare organizations, such as clinics, "felt pretty comfortable that they wouldn't be on the radar screen of the federal government" if they were guilty of a security violation, Borten says. Now that states are also involved in enforcement, organizations of all sizes know that they face potential penalties for their actions, she argues.
On Jan. 13, Connecticut Attorney General Richard Blumenthal filed a lawsuit against Health Net of Connecticut Inc. in a case involving the loss of a portable disk drive holding records for about 446,000 enrollees.
The company failed to promptly notify state officials or the individuals affected when the hard drive disappeared from an office in Shelton, Conn., on May 14, 2009, the lawsuit alleges.
The drive contained 28 million scanned, unencrypted pages of documents, such as claims and membership forms, appeals, grievances and medical records. These included names, addresses, bank account numbers and Social Security numbers, according to the lawsuit.
The insurer was acquired by a unit of UnitedHealth Group in December 2009.