MA AG Settles Cross-border HIPAA and Breach Notification Enforcement Suit: HIPAA & HITECH Act Blog by Jonathan P. Tomes

JonTomesSo only the state attorney general in the state in which you do business can file a lawsuit against you? Right? No, wrong.

A Rhode Island hospital has agreed to a settlement to pay $150,000, undergo an audit, and implement security measures to settle a breach notification lawsuit brought by the Massachusetts Attorney General under the HITECH Act’s new expansion of HIPAA civil liability to include lawsuits brought on behalf of a patient by the state attorney general (patients themselves cannot sue, apparently to prevent frivolous lawsuits). Massachusetts v. Women & Infants Hospital of Rhode Island, No., 13-2332G (Mass. Sup. Ct.), concerned lost unencrypted back-up tapes containing 14,000 patients’ personal information, including 12,000 Massachusetts residents. The hospital did not report the breach to the patients or other authorities for more than six months. The Massachusetts Attorney General filed a lawsuit alleging that the failure to secure the data and the delayed notification violated HIPAA and Chapter 93a of Massachusetts General law. Although neither Massachusetts nor Rhode Island requires notification within a specific time period, they do require businesses to issue breach notices as soon as possible and “without unreasonable delay,” according to the Final Judgment by Consent of Defendant.

Thus, the teaching point is that, if your practice treats patients from other states, you have to be concerned about their states enforcing HIPAA violations by lawsuit.

If you are concerned about the state of your HIPAA compliance, call our marketing director, Patrick R. Head II, toll-free at 855-341-8783 or email him at to sign up to attend our upcoming two-day Hands-on HIPAA Workshop aboard the Queen Mary, anchored in Long Beach, California, October 16-17, 2014.

seo by: k.c. seo