Connecticut Attorney General Richard Blumenthal has commenced an investigation in a second case involving potential HIPAA violations by a worker at Griffin Hospital. This follows the suit commenced against Health Net for HIPAA violations following a data breach. As reported by George Gombossy of ctwatchdog.com, this would be the second time a state attorney general has used the enforcement authority granted under the Health Information Technology for Economic and Clinical Health Act (HITECH).
The Attorney General’s press release states:
My office is investigating allegations that a radiologist formerly affiliated with Griffin Hospital improperly accessed the medical information of almost 1,000 of the hospital’s patients.
These charges, if true, are deeply disturbing. Patients rightly expect and demand that their medical information remain secure and confidential, viewed only by authorized individuals.
Unauthorized accessing of patient information is a violation of the federal HIPAA law that my office is empowered to enforce. I will seek strong and significant sanctions, if warranted by the facts.
Griffin Hospital rightly informed my office of this alleged data breach and is cooperating with our investigation.
Efforts are underway to help state Attorneys General become more actively involved in HIPAA enforcement. For example, the Department of Health and Human Services (HHS) has awarded a $1.7 million contract to train attorneys general on enforcing HIPAA and, specifically, to assist the Office of Civil Rights (an arm of HHS) “in conceptualizing and implementing a training curriculum for state attorneys general staff and others affected by the HIPAA Privacy and Security Rules.”
It is important that HIPAA-covered entities and business associates focus on compliance so when there is a data breach, they will be better positioned to respond to a state attorney general inquiry.