71
theOmnibusRule that, “the
Departmentwill not impose the
maximumpenaltyamount inall cases
butwill ratherdetermine theamountof
apenaltyonacase-by-casebasis,
dependingon thenatureandextentof
theviolationand thenatureandextent
of the resultingharm, as requiredby the
HITECHAct, aswell as theother factors
set forthat [45C.F.R.]§ 160.408.”
15
These factors include, amongother
things, (1) thenumberof individuals
affectedby thebreach, (2)whether the
violationcausedphysical harm, (3)
whether theviolation resulted in
financial harm, (4)whether the
violation resulted inharm toan
individual’s reputation, (5)whether the
currentviolation is thesameor similar
toprevious indicationsof
noncompliance, and (6)whetherand to
whatextent thecoveredentity,
businessassociate, or subcontractor
hasattempted tocorrectprevious
indicationsofnoncompliance.
16
AFewEnforcementExamples
Theenactmentof theHITECHActhas
indeed led to increasedenforcementby
theOfficeofCivilRights.Enforcement
actionsmayariseasa resultofa
complaint filedwithOCR, anews
report, oraself-reporteddatabreach.
Todate,OCRhas takenactionagainst
fourteendifferentorganizations,
ranging fromhealthplans, relatively
smallproviders, astateagencyand,
most recently, acountygovernment.
Theseenforcementactionsarebriefly
summarized inTable2.
Additionally, anumberofState
Attorneys’General have takenaction
againstcoveredentitieswithone taking
actionagainstabusinessassociate. For
example, theStateAttorneys’General
ofConnecticut, Indiana, andVermont
haveall takeactionagainstcovered
entities,withbothConnecticutand
Vermont takingactionagainstHealth
Net
17
and Indiana takingactionagainst
WellPoint.
18
Notably, the Indiana
AttorneyGeneralpursuedanaction
againstWellPointunder Indiana’sdata
breachnotification lawbecause
WellPoint failed tonotify theState
AttorneyGeneral’sOffice “without
unreasonabledelay.”
Both theStateAttorneyGeneralof
Minnesotaand theFederalTrade
Commission tookactionagainst
AccretiveHealth, abusinessassociate,
basedonadatabreach thathappened
inJuly2011.Under thesettlementwith
theMinnesotaAttorneyGeneral,
Accretiveagreed to “ceaseall
operations inMinnesotawithin ... 90
days, orbyNovember 1, 2012. The
company [will] thenbesubject toan
outrightbanonoperating inMinnesota
for twoyears, afterwhich, for thenext
fouryears, itcanonly reenter theState
if theAttorneyGeneral agrees toa
ConsentOrder regarding itsbusiness
practices in theState.”
19
Inaddition to theenforcementactions
describedabove, therehasalsobeenan
increase inplaintiffs’ litigation
stemming fromhealthcare relateddata
breaches. There isnoprivate rightof
actionunderHIPAA.Asa result, these
actionsare typically filedunder state
lawallegingnegligence, intentional
inflictionofemotionaldistress,
negligententrustment, breachof
confidentiality, invasionofprivacy, and
anumberofotherclaims.
20
Ingeneral,
plaintiffs’ haveexperiencedvaried
amountsof successbecauseplaintiffs’
