States’ Attorneys General Enforce HIPAA

Veriphyr proactively reports impermissible use of PHI the first time it happens. 

Since a precedent set by US District Court Judge Rudolph Contreras in June, HIPAA enforcement has been limited to the Department of Health and Human Services and the states’ attorneys general. A recent case involving a HIPAA violation by a New York nonprofit shows how the attorney generals are stepping up to this role.

The Arc of Erie County

In February of 2018, the Arc of Erie County was alerted by a member of the public that clients’ protected health information (PHI) was easily available online. The information available included the full name, address, phone number, age, date of birth, gender, race, primary diagnosis code, IQ, health insurance information, and Social Security of 3,751 individuals.

It had been available online since July 2015; just over two and a half years.

While clients’ PHI should have been available to only authorized staff with login credentials, it could be found in a spreadsheet after a brief internet search.


The Breach Came From Abroad

The nonprofit alerted the Department of Health and Human Services Office of Civil Rights (HHS OCR). OCR found in the resulting investigation that the information had been accessed multiple times by individuals outside the United States.

New York Attorney General Barbara. D. Underwood found the Arc of Erie County found the Arc of Erie County guilty of a HIPAA violation, and fined the organization $200,000. This case demonstrated how failure to protect patients’ information is legally equivalent to impermissible disclosure of PHI.

In addition, the Arc of Erie County agreed to implement a Corrective Action Plan (CAP). The plan includes a thorough risk analysis of its electronic equipment and data systems. To prevent future violations, the organizations commits to correct all vulnerabilities and revise and review all policies and procedures (a).


The HITECH Act of 2009

States attorney generals have had the authority to bring civil actions on behalf of state residents in response to HIPAA violations since 2009. It was the Health Information Technology for Clinical and Economic Health (HITECH) Act, part of the American Recovery and Reinvestment Act, which gave them this power (b).

HHS has created a HIPAA training course for states’ attorneys general in order to help the enforcement process (b). However, there are still concerns that attorneys general don’t have the necessary understanding of the healthcare industry to be enforcing HIPAA well (c).


Uptick in HIPAA Enforcement

In March 2018, Attorney General Underwood’s predecessor Eric Schneiderman  announced a settlement with EmblemHealth. Emblem had admitted to a mailing error that exposed thousands of New Yorker’s Social Security numbers.

Schneiderman’s action against Emblem was the start of a trend toward Attorney Generals enforcing HIPAA more strictly. Combined with the precedent mentioned above set in June by US District Court Judge Rudolph Contreras, enforcement of HIPAA by attorneys general shifted from being technical in the law, to ongoing in practice.

With new privacy laws, Canada has also been doubling down on patient privacy protection.

Thankfully, Veriphyr’s advanced data analytics can help healthcare organizations detect patient privacy breaches the first time they happen. With a unique understanding of each healthcare organization, Veriphyr’s privacy compliance solution promptly delivers the necessary information to maintain regulatory compliance and ensure the highest level of patient privacy.


(a) HIPAA Journal – September 4th, 2018

(b) Department of Health and Human Services – State Attorney’s General

(c) International Association of Privacy Professionals – March 8th, 2018