In 2021, the New Jersey Office of Attorney General (“NJAG”) entered into three settlement agreements with various healthcare entities over alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”).
Of note, in these 2021 HIPAA settlements, the NJAG: (i) extracted penalties; (ii) examined whether the entities maintained HIPAA policies, procedures, and employee trainings, as required by law; and, (iii) required the entities to appoint a Chief Information Security Officer as part of the settlement.
The settlements generally addressed years-old violations or breaches of protected health information (“PHI”), underscoring for HIPAA covered entities that a HIPAA breach that occurs today may take months – or years – to resolve in the event of an investigation by a regulator.
Key Takeaways
State Attorneys General have enforcement authority under HIPAA, alongside the federal regulator primarily tasked with enforcing HIPAA, the Office for Civil Rights (“OCR”). Nevertheless, State Attorneys General do not often act upon this enforcement authority, likely due to lack of resources and lack of expertise in data privacy issues. New Jersey, however, bucks this trend.
In 2018, the NJAG formed a Data Privacy and Cybersecurity Section; it was this Section that investigated and brought about the HIPAA settlements described above.
As data privacy and cybersecurity concerns continue to proliferate, we expect other Attorneys General to similarly follow New Jersey’s lead and dedicate both staff time and investigative resources to enforcement actions regarding the misuse of data or breaches of PHI under HIPAA. As such, covered entities and their business associates may face increased scrutiny from state-level regulators, in addition to OCR, with respect to alleged violations of HIPAA.
How Frier Levitt Can Help
The data collection practices of healthcare providers and their business associates are largely governed by HIPAA. However, other entities such as consumer technology companies and marketers must comply with many state and international data privacy and data breach notification laws.
From providing guidance on day-to-day HIPAA compliance concerns, to helping healthcare technology companies develop compliant data use policies and workflows, Frier Levitt can assist clients in addressing their data privacy and cybersecurity needs.
Contact Frier Levitt for assistance with HIPAA compliance, responding to a HIPAA breach, or structuring technology or data use arrangements in compliance with HIPAA or other data privacy laws.
