The New Jersey Attorney General's (AG) Office released their settlement statement affecting Diamond Institute for Infertility and Menopause, LLC (“Diamond”), following Diamond's data breach between August 2016 and January 2017. Diamond was accused of violating the New Jersey Consumer Fraud Act and the Health Insurance Portability and Accountability Act (HIPAA). The specific acts levied against Diamond include:
failing to conduct an accurate and thorough risk assessment of potential risk and vulnerabilities to the confidentiality, integrity and availability of ePHI;
failing to implement a mechanism to encrypt ePHI;
failing to review and modify security measures as needed to continue reasonable and appropriate protection of ePHI;
failing to implement proper procedures for creating, changing, and safeguarding passwords; and
failing to implement procedures to verify that the person seeking access to ePHI is who they claim to be.
Of course Diamond disputes these allegations but still agreed to a settlement of $495,000 that included $412,300 in civil penalties and $82,700 in investigative costs and attorneys’ fees.
This blog posts reminds us that in addition to State laws, AGs have the ability to include HIPAA when accusing Covered Entities and Business Associates of violating the law. AGs are not bound to act or not act upon any action by US Health and Human Services (HHS), so a HHS audit or settlement may proceed or follow the same from an AG. As noted above, AG settlements may also be as or more expensive than HHS settlements. We also advise (as consultants only) that more and more entities serve more than one state's patients (e.g. laboratories, etc.).
Stay (HIPAA) safe,