Cleveland partner Steve Eisenberg was quoted in the February 2010 edition of Report on Patient Privacy in the article, "First AG HIPAA Suit Portends More State Actions; Sends Message on Encryption."
The focus of the article is the first-ever lawsuit brought by a state attorney general for possible violations of HIPAA. Connecticut Attorney General Richard Blumenthal brought the suit against Health Net, Inc., for multiple violations of both HIPAA and state laws, including the Connecticut Unfair Trade Practices Act, stemming from the May 2009 loss of a hard drive. The unencrypted drive contained protected health information for a total of 1.5 million current and former members, 446,000 of whom lived in Connecticut, according to the article.
According to the article, in bringing the suit, Blumenthal had to navigate the labyrinth of procedural "strings" that were attached to the HITECH Act provisions that granted new HIPAA enforcement powers to attorneys general. "I think this is probably only the tip of the iceberg" of what is to come now that AGs have HIPAA enforcement powers, said Eisenberg. Suits are likely to be more prevalent in states where "AGs are seeking higher office," he added. A week before suing Health Net, Blumenthal announced his candidacy for the U.S. Senate seat that will be open upon the retirement of Sen. Chris Dodd.
The Health Net case is on the minds of other covered entities and business associates, said Eisenberg. "I got a couple of calls about it,” he says. When asked if his callers thought the Health Net case was unique, his answer was a resounding "no." "They all could completely see how it could happen to them. Most [CEs] have good systems in place. Could they do things better? Yes," he said. "As I advise my clients, I don't see the issue of the [financial] penalty as the biggest problem," Eisenberg said. "I think the adverse publicity is the bigger problem."
News about a security breach—or as in Health Net's case, a breach followed by a lawsuit for a HIPAA violation—that breaks at a point when employers are conducting open season, could cause employers to drop a plan or a provider group, Eisenberg said. News of a legal action such as this coming during open enrollment season could have significant consequences, he said. As a result of Health Net's very public troubles, other plans "are looking at a couple of things. Staying in the safe harbor for encryption. Reducing what [PHI] goes out. Making sure they are disciplining employees," said Eisenberg.