Fine of nearly $90,000 has been imposed by Connecticut Attorney General George Jepsen against Hartford Hospital and information technology vendor EMC Corp. for violation of HIPAA privacy and security rules.
This action of Connecticut comes as a reminder to healthcare industry stakeholders that state AGs possess all the rights to enforce HIPAA, and many are doing so.
In June 2012, an unencrypted laptop containing protected health information on nearly 8,900 Connecticut residents was stolen from the home of an EMC employee resulting in this penalty.
Hartford Hospital’s business associate EMC was engaged in analyzing patient data in order to lessen the preventable admissions of patients with congestive heart failure. After EMC notified Hartford Hospital of the theft, the facility realized it had not entered into a business associate agreement with the vendor, according to the AG office. The hospital contacted patients whose information was contained on the laptop, and it offered them credit and identity theft services from AllClear ID.
Both organizations will not only be bearing the fine but have also entered into agreements to improve the security of protected health information. At Hartford Hospital, files or data containing PHI will be encrypted before it transmits or transfers such information.
Hartford had already taken some measure on security improvements. EMC too has agreed to “maintain reasonable policies requiring the encryption of all PHI stored on laptops or other portable devices and transmitted across wireless or public networks and to maintain reasonable policies for employees relating to the storage, access and transfer of PHI outside of EMC premises,” according to the AG statement.
Many other healthcare organizations following breaches are targeted by former Connecticut Attorney General Richard Blumenthal, now a United States Senator . Health Net is one such company, sued for failure to disclose a large 2009 breach in an appropriate manner with the settlement calling for a $250,000 fine and a state approved action plan. Then, the Connecticut Insurance Department used its state authority to fine Health Net of Connecticut $375,000.