What is a Multistate HIPAA Settlement?
There’s no right against HIPAA double jeopardy. In other words, OCR may fine a covered entity or business associate for noncompliance. At the same time, before, or after, a state may file a lawsuit against the entity alleging breach of the state’s healthcare privacy and security laws. In a number of instances, multiple states have joined together to file one lawsuit against an entity, under each state’s own laws. This type of lawsuit, called a multistate lawsuit, can prompt an entity to settle with the state plaintiffs for millions of dollars.
CHS Multistate HIPAA Settlement
Tennessee-based Community Health Systems (CHS) learned the hard way that there is no escape from HIPAA double jeopardy. In September of 2020, CHS settled with the Department of Health and Human Services’ (HHS) Office for CIvil Rights (OCR) for $2.3 million dollars, over a massive data breach impacting over 6 million patients. The agreement settled numerous violations of the HIPAA Security Rule committed by CHS. CHS also agreed to develop and adhere to a two-year corrective action plan. Flash forward about two weeks. CHS, in early October, reached a $5 million dollar settlement in a multistate lawsuit. The multistate lawsuit was brought by 28 states. The lawsuit alleged the same violations and misconduct that the OCR found. Under the terms of the multistate HIPAA settlement, the plaintiff states that filed the suit were awarded damages, to be given to individual plaintiffs whose PHI was exposed. Under additional terms of the multistate HIPAA settlement, injunctive relief was awarded to the state plaintiffs. Injunctive relief (an injunction) requires a litigant to either do something or refrain from doing something. The injunctive relief awarded in this case requires CHS to comply with individual states’ data privacy laws.
What Events Gave Rise to the Lawsuit Resulting in the Multistate HIPAA Settlement?
On October 8, 2020, Tennessee-based Community Health Systems (CHS) reached a $5 million settlement with 28 states to resolve an investigation into its massive data breach that impacted 6.1 million patients in 2014. The data breach was caused by a hack launched by foreign hackers that lasted from April 2014 through June of 2014. The hackers used an advanced malware attack that resulted in their obtaining a host of sensitive patient information, including Social Security numbers, contact details, patient names, and dates of birth. The plaintiff states investigated the breach and then filed a lawsuit seeking damages and injunctive relief.
What Does the Multistate HIPAA Settlement Require CHS to Do?
The October 8th judgment resolves the states’ investigation into the breach, and the states’ complaint. Under the terms of the multistate HIPAA settlement, CHS will pay the 28 states a total of $5 million in damages stemming from violation of state data privacy and security laws. Under the terms of the settlement, CHS must also implement and maintain a comprehensive information security program. The requirements of the security program are outlined in the multistate HIPAA settlement. The security program requirements have been imposed to ensure that CHS complies with the 28 states’ individual health data privacy and security laws. If CHS fails to implement the security measures, or violates these laws, it faces additional penalties under the multistate HIPAA settlement agreement.
What Specific Security Measures Does the Multistate HIPAA Settlement Agreement Require?
The multistate HIPAA settlement agreement requires CHS to develop, implement, and maintain a written security program designed to protect the confidentiality and integrity of protected health information, including administrative, technical, and physical safeguards. The safeguards must be part of a policy of minimum necessary access, such that CHS may only access PHI to the extent required by law and by agreement with its service providers.
CHS must also implement and maintain password management policies and practices to manage access to user, service, and vendor accounts. The passwords must be strong passwords. The passwords must also be complex and rotating, and cannot be saved in plaintext.
CHS also must designate an executive or officer whose full-time duty will be to implement, maintain, and monitor the security program.
The multistate HIPAA settlement agreements are between CHS and Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington, and West Virginia.