On March 6, 2018, New York Attorney General Eric Schneiderman announced a settlement with health insurer EmblemHealth and a wholly owned subsidiary Group Health Incorporated. The settlement was based on Emblem’s “admission” of a mailing error that resulted in thousands of Social Security numbers being disclosed in a mailing.
At first glance, the case might seem “routine.” Company has security breach, government investigates, and takes enforcement action. It happens all the time when the breach involves SSNs. But there’s a lot more going on here. Let’s take these interesting points in step.
First, the AG used this case to promote a proposed amendment to the existing New York data breach notification law. Not uncommon, but the amount of continuing tinkering with state data breach laws is growing. I’ve been asked about two recent enactments and at least three new proposals in recent days, all of which (if implemented) will result in the reporting of more and more situations that are being defined as breaches. I’m concerned that we are moving away from the general (or at least initial) purpose of these laws–to provide notice where there was some action for the consumer to take–and simply expanding these laws to give notice where there’s no reasonable action to take and no realistic risk, which is mainly a boon to the plaintiffs’ bar.
I’m concerned that we are moving away from the general (or at least initial) purpose of these laws–to provide notice where there was some action for the consumer to take–and simply expanding these laws to give notice where there’s no reasonable action to take and no realistic risk, which is mainly a boon to the plaintiffs’ bar.
Second, the case involved ongoing concerns about SSNs. According to the AG’s press release, this mailing “inadvertently included the insured's Health Insurance Claim Number, which incorporated the insured's social security number.” Another reminder of one of the key risk management opportunities for virtually any company – review everywhere in your company that you collect, store, use and disclose SSNs. I can essentially guarantee that you will find a significant problem or issue with an enormous percentage of those situations.
Third–and in general the most interesting issue–is that this case involved, ultimately, the attorney general's settlement of a HIPAA case, where he alleged that “EmblemHealth failed to comply with many of the standards and procedural specifications as required by HIPAA.”
As a reminder, state attorneys general have enforcement authority under HIPAA. It was informal before HITECH, and formal after HITECH. It is also constrained under HITECH (at least where the virtually unused formalities of the HIPAA enforcement rule come into play). When HITECH was passed, I raised this authority as an area of potential concern. I have great respect for how the HHS Office for Civil Rights has enforced HIPAA over the past 15 years. They have been thoughtful and responsible, and have engaged in their enforcement authority with a deep understanding of the health care industry and with an appropriate need to balance HIPAA’s protections with a health care system that appropriately uses and shares information. They recognize that mistakes happen and care a lot about what you did before the event, and how you reacted to and learned from the mistake. My concern - at the time – was that attorneys general might not have any of those elements in their enforcement approach, and might take action simply because “something happened.”
We haven’t seen the state attorneys general do too much on HIPAA since HITECH went into effect (I would have been really intrigued to see a state AG take specific enforcement action between 2009 and 2013, when HHS wasn’t acting until rules came out, but the law said what it said). So, some of my concerns haven’t come to fruition. But, this case is a reminder to pay attention going forward.
Here’s what we need to watch.
- Will this case be one of a kind, or the start of a trend?
- Will other state AGs get into this game?
- Will they start taking action based on specific HIPAA provisions, rather than the “more general” authority that they have under other enforcement provisions?
- Will state AGs understand how HIPAA works?
- Will they care about industry standards or “typical” activities in the industry?
- Will they take different interpretations than OCR does?
- OCR always wants to know what your precautions were when the incident happened, how you handled the incident and what you have done to improve your situation since the incident. Do the AGs care about this?
- I don’t have any idea what Emblem had in effect at the time of this incident, but, in most situations, a single bad mailing does not mean that (1) anyone has “violated” HIPAA or (2) that enforcement action would be taken. Does this case signal “worse facts” than usual, or simply a different approach for this AG than OCR typically would take?
There are a lot of questions about HIPAA enforcement today. OCR has lost several of its key leaders, including two with the most significant HIPAA experience. The new OCR director does not have significant HIPAA experience (nor did his predecessor, so this isn’t by itself an issue), but he also seems focused on other issues under his purview. Budgets and staffing are under attack. The new director also gave a HIMSS speech this week where he spoke of the possibility of "deregulatory opportunities" to reduce industry burdens from the HIPAA Rules. So we can’t be sure where OCR will be going on HIPAA enforcement.
That raises the real possibility–in New York, California and other places, both as a general response to the new administration and a more specific response in this particular area–that states will get more involved in HIPAA enforcement. If you are involved in the health care industry – as a covered entity, a business associate or otherwise, make sure that OCR isn’t your only focus. The states might be coming as well–and they could be taking a very different approach to enforcement.
If you want to comment on this post, you need to login.