Connecticut Attorney General Richard Blumenthal is investigating his second case involving HIPAA violations this year, using again a legal authority granted to state attorneys general under the HITECH Act signed into law February 2009.
Blumenthal’s office confirmed in a statement Monday that it is pursuing a case involving allegations that a radiologist formerly affiliated with a Connecticut hospital improperly had access to the records of nearly 1,000 of the hospital’s patients.
Three months ago, Blumenthal announced he was suing Health Net of Connecticut, Inc., after the insurer reportedly failed to secure private medical records and financial information of 446,000 Connecticut members and then did not promptly notify them of the possible security breach for six months.
Jeff Drummond, health law partner in the Dallas office of Jackson Walker LLP and author of HIPAA Blog , says the power granted to state AGs to pursue lawsuits is a major change for HIPAA enforcement.
“Combined with the ability of individuals to get a ‘piece of the pie’ when penalties are handed out, this will be the biggest game-changer in HITECH,” says Drummond. “In my opinion, you can forget about the data breach notification provisions, the direct regulation of business associates, or the increased penalties. The biggest game-changer in HITECH is the added ability of state attorneys general to act as ‘HIPAA police.’ Making BAs directly subject to HIPAA doesn’t change much if the soft enforcement regime of OCR stays the same; increasing the penalties doesn’t matter if no penalties are being assessed. But, add the new AG enforcement powers to the right of affected individuals to share in any fines or penalties collected, and the entire enforcement calculation changes.”
The hospital involved in this week’s case is Griffin Hospital of Derby, CT, a 160-licensed-bed facility that handled about 7,500 admissions last year (179,000 outpatients). Griffin confirmed the breach of protected health information (PHI) in a statement on its Web site .
From February 4 to March 5, Griffin said an investigation revealed a radiologist previously affiliated with the hospital or on the hospital’s medical staff used the passwords of other radiologists and an employee within the radiology department to gain access to 957 patient radiology reports on the hospital’s Digital Picture Archiving and Communication System (PACS). The reports included patient name, exam date, exam description, gender, age, medical record number, and date of birth, according to the facility.
The radiologist, once contracted with Griffin for radiology professional services, had authorized access to the hospital’s PACs system. However, his employment with the radiology group was terminated on February 3, 2010, Griffin says, and his password revoked.
But through its investigation, Griffin learned of a repeated, unauthorized access from a single computer to its PACS. Its audit identified the former employee’s computer Internet Protocol Address as the one that made the inappropriate access.
The former employee downloaded the image files of 339 of these patients, Griffin said.
HealthLeaders Media on Tuesday asked a Griffin Hospital spokesperson if the former radiologist sought personal financial gain by recruiting the hospital’s clients. Bill Powanda, vice president at Griffin and the hospital’s spokesperson for the incident, said, “that will all come out in the investigation.”
“These charges, if true, are deeply disturbing,” Blumenthal said in a statement. “Patients rightly expect and demand that their medical information remain secure and confidential, viewed only by authorized individuals. Unauthorized accessing of patient information is a violation of the federal HIPAA law that my office is empowered to enforce. I will seek strong and significant sanctions, if warranted by the facts.”
Griffin began the investigation when patients contacted Griffin about “unsolicited contact by the physician who offered to perform professional services at another area hospital despite the patients’ interest in having those services provided at Griffin Hospital.”
Griffin said it has complied with HITECH breach notification requirements by:
- Notifying the HHS secretary
- Notifying patients who have had their PHI accessed in the breach
- Disclosing the information to the local media
- Posting information about the breach on Griffin’s Web site
Griffin officials have also notified Blumenthal’s office about the breach, changed all of the passwords for PACS users whose passwords were used without authorization, and advised all users of the need for strict password confidentiality.
Frank Ruelas, director of compliance and risk management at Maryvale Hospital in Phoenix, AZ, and principal of HIPAA Boot Camp  in Casa Grande, AZ, says bringing state AGs into the HITECH enforcement mix raises the possibility of discovered breaches to a “new level.”
“I certainly can see attorney generals becoming motivated first responders to discovered breaches when compared to actions that may be taken by a federal entity. Bottom line, enforcement, or at least the threat of enforcement, is moving closer and closer to home with respect to the location of the involved covered entity,” he says.