The Growing Epidemic of PHI Security Breaches – Providers and Insurers Beware of Enforcement by Attorneys General

January/February 2011Articles Garden State Focus

The Breach Notification Rule in the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), which amended the Health Insurance Portability and Accountability Act of 1996 (“HIPAA” and, collectively with HITECH, “HIPAA/HITECH”) relates to public disclosure of security breaches of Protected Health Information (“PHI”). HIPAA/HITECH has continuously been bringing to light new breaches of PHI involving highly respected and sophisticated health care providers and insurers (generally, “covered entities”).

The enactment of HITECH gave state attorneys general the ability to enforce PHI security breaches under HIPAA for the first time. Under HITECH, state attorneys general are authorized to bring civil suits in federal district court as a parens patriae (on behalf of state residents) if they believe their residents are threatened or adversely affected by HIPAA violations. It can be expected that state attorneys general around the country will follow suit in vigorously investigating PHI security breaches and seeking civil monetary payments under HIPAA/HITECH and/or state law.