…the AG asks the CE, “Is that your BA?” Wait for it…
In the United States there are very few states who have not passed additional privacy legislation since the enactment of HIPAA or even before HIPAA came on the scene. Most states have a privacy law that governs the use of personally identifiable information (PII), including protected health information (PHI), to ensure the security and privacy of their citizens when their information is used or disclosed by any business operating in the state.
In some cases the state law is more stringent than HIPAA and already requires covered entities and business associates to protect PII or PHI because state privacy laws are usually written from the perspective of any business operating in their boundaries. Although a covered entity may do business in a state not governed by additional privacy laws, we must not forget that HITECH opened the door for the State Attorney General (AG). Dun, dun, dun…
State Attorney General “Persona”
Some state prosecutors are a little more aggressive than their counterparts and they have quickly targeted the risk that both a covered entity or business associate pose to a constituents PII or PHI. Lest ye forget they are elected officials. What wins the hearts and minds of most individuals?Heroes, champions for the greater good, and anyone else looking out for their personal welfare. Enter the AG who proclaims, “I will defend your rights to privacy and punish the gross and negligent offenders!” HAAAA! Roar! And the crowd goes wild!
Campaigns to Date
It has been the common trend for states to prosecute based on the data privacy laws of their state. This is changing though. Connecticut was the first state to prosecute under HITECH in 2010. Other states slowly followed suit, to date the most active have been Connecticut and Massachusetts, who go after both violation of state and HIPAA requirements. A common source of health information security events and news, that many of you may already follow and I have cited here in the past, Healthcare Info Security, ran an article this month referencing the breach in 2012 involving Hartford Hospital and a business associate, EMC Corp, and how the state of Connecticut responded with fines and remediation activities. The real take away from that article though, emphasizes what we have been discussing throughout this blog, How are you managing your risk that may stem from a business associate breach? Are you hoping it will take care of itself because you prefer surprises? Hmm…remember that concept called “willful neglect”?
Where’s the punch line?
If a covered entity is still relying on the face value of their business associate agreements, it is safe to say the risk from a business associate is continuing to increase, not suddenly diminish. If the federally mandated requirements of HIPAA are not enough to adjust your strategy, I would suggest you definitely make sure you have a handle on what your state may be up to. You may be one of the lucky ones where state requirements are stricter. Stricter or not though, breaches rarely have happy endings for covered entities.
The CE says, “Yes. Would you like to join us?” The AG says, “No, thanks. I SETTLE with you later.”