AGs Launch 12-State HIPAA Lawsuit Against Business Associate in Indiana

A first-ever lawsuit filed by 12 state attorneys general against electronic medical record vendor Medical Informatics Engineering Inc. signals heightened state-level enforcement of HIPAA, along with increased activity surrounding individual states’ privacy laws, attorneys and security experts say.

The lawsuit, led by Indiana Attorney General Curtis Hill, alleges that Medical Informatics Engineering and its subsidiary, NoMoreClipboard LLC, violated HIPAA by failing to protect electronic protected health information (ePHI) belonging to more than 3.9 million individuals. The lawsuit also alleges violations of state consumer protection, data breach and personal information protection laws.

Devin Chwastyk, chair of the privacy and data security group at law firm McNees Wallace & Nurick LLC in Harrisburg, Pennsylvania, says this lawsuit, filed in December, represents the first time states have come together in court to enforce federal HIPAA requirements.

“Usually, states only step into the void to regulate where the federal government has failed to do so,” he tells RPP, citing a data breach case filed against Uber by attorneys general of all 50 states. That case, which affected some 57 million Uber customers across the United States, settled in September when Uber agreed to pay $148 million.

“Given the lack of any federal, generally applicable national data security or breach notification law, the Uber breach represented one such void,” Chwastyk says. “But HIPAA covered entities and business associates are heavily regulated by the Department of Health and Human Services, which has shown no reticence in imposing federal fines for HIPAA breaches. So it’s curious that the states are piling on to enforce HIPAA concurrently with HHS. That could mean double exposure for HIPAA violations.”

This document is only available to subscribers. Please log in or purchase access.


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field