HIPAA Blog

[ Thursday, May 30, 2019 ]

 


MIE breach brings state fines as well: Yesterday my favorite HIPAA/Privacy reporter tipped me off to the fact that MIE also got fined by state regulators.  MIE is an Indiana-based medical records company, and its clients are spread across the Midwest and elsewhere.  In addition to the $100,000 fine to OCR, MIE also paid $900,000 to a total of 16 states (Arizona; Arkansas; Connecticut; Florida; Indiana; Iowa; Kansas; Kentucky; Louisiana; Michigan; Minnesota; Nebraska; North Carolina; Tennessee; West Virginia; and Wisconsin) to settle HIPAA and state law breaches.

This is a good reminder: you can't only look at HIPAA to determine your obligations to protect data and report breaches; you also must look at state laws. Specifically, all states have data breach reporting laws, and most have either personal data protection/security laws or general "deceptive trade practices" laws that contain a privacy component.  Thus, your data security activities must be HIPAA compliant and state-law compliant, and if you suffer a breach, you must look at both the applicable state laws as well as HIPAA to determine your reporting obligations (some breaches require reporting under HIPAA only, some under state law only, and some under both).

Additionally, since the HITECH Act, OCR isn't the only show in town as far as HIPAA enforcement specifically.  Even if OCR does not fine an entity, a state can do so specifically for a HIPAA violation, but not for a state law violation

In MIE's state law case, MIE paid OCR for violating HIPAA but also paid the 16 states for violations of HIPAA and state laws (i.e., not just state laws).  But, it was an agreed order, so it's hard to tell what would've happened if MIE objected to the fact that, since OCR had already fined them, they should not have state law liability under HIPAA.  I assume the states would've dropped the HIPAA part and relied on state law exclusively.

The final lesson: there are multiple regulators.  Don't forget that.

Jeff [11:29 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template