Last week, the Connecticut Attorney General (the “Connecticut AG”) announced that Hartford Hospital and its subcontractor, EMC Corporation (“EMC”), agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The entities will collectively pay a $90,000 penalty and also sign an Assurance of Voluntary Compliance (an “AVC”).
The Connecticut AG first learned of the potential HIPAA violations upon receipt of notification from Hartford Hospital in July 2012. Hartford Hospital informed the Connecticut AG that it had retained EMC as a subcontractor to assist with a quality improvement project, and a laptop containing the unencrypted Protected Health Information (“PHI”) of over 8,000 Connecticut residents had been stolen from an EMC employee’s home. Hartford Hospital maintained that there was no evidence that any of the PHI had been misused, although the laptop was not recovered.
Investigation of the incident revealed that both Hartford Hospital and EMC had some HIPAA deficiencies. They had not entered into a Business Associate Agreement (“BAA”) with one another, and both parties were lacking certain required policies and procedures. Pursuant to the AVC, both parties will augment their HIPAA compliance programs. For example, Hartford Hospital will implement corrective action regarding its vendor contracting process and also agreed to encrypt certain files containing PHI. EMC similarly agreed to establish policies regarding encryption and proper storage of PHI. Both parties will implement additional workforce training regarding HIPAA, as well as general privacy and security.
State attorneys general became authorized to enforce HIPAA via the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) of 2009, and this settlement is the latest example of a state official exercising this authority. It is also notable because, although most HIPAA enforcement to date has focused on Covered Entities, this settlement involves both a Covered Entity and a Business Associate. This settlement has been added to Cooley’s “Select HIPAA Privacy and Security Enforcement Actions Tracker” that may be accessed on the right side of this page or under the “Resources” tab above.