A $1.1 million settlement between Horizon Healthcare, Inc. and the state of New Jersey has raised the stakes for HIPAA-covered entities throughout the country, according to Jackson Walker healthcare attorney Jeff Drummond. In a recent article in Report on Patient Privacy, Jeff commented on the case and how a combination of state enforcement and action by the HHS Office of Civil Rights will affect HIPAA penalties in the future.
The case stems from the theft of two laptops from Horizon’s Newark headquarters during the renovation of its offices. The ensuing investigation revealed that a division of employees within Horizon held protected health information for over 700,000 individuals on their laptops, though holding this information was not essential to their job functions. The investigation also found that at least 32 employees of a moving company and 266 employees of various vendors and contractors had unsupervised access to the areas from which the laptops were stolen. These findings amounted to 24 HIPAA violations and multiple state law violations, and formed the basis of the state’s case against Horizon.
Jeff, who represents health care providers in various HIPAA law matters, explained that the Horizon case was a smart choice for New Jersey to pursue, based on the company’s size and ability to pay a large settlement. However, he commented that, “I think the fines are way too high unless unknown details, such as possible lack of cooperation, influenced the state.” He explains that the state made “no apparent attempt to show the data was misused,” and that to him, this should have been “more of a six-figure settlement.”
Even with the New Jersey HIPAA settlement, Jeff notes that Horizon could still be vulnerable to enforcement action by the OCR. Though double-jeopardy negates the OCR’s ability to pursue the same violations, in the past, it has been able to use state action as a means to bring a case against a HIPAA covered entity.
For more information, read “Big New Jersey Settlement Shows State Agencies Also Pack Enforcement Muscle” and “States, OCR Can Deliver a One-Two HIPAA Punch” in the March issue of Report on Patient Privacy (subscription required).
About Jeff Drummond
Jeff Drummond is a healthcare attorney who focuses his practice on transactional and regulatory matters. He has extensive experience with HIPAA regulations and cybersecurity issues, and has represented clients in direct negotiations with the HHS Office of Civil Rights in relation to potential data breaches. Jeff is AV Rated by Martindale-Hubbell and was recognized on D Magazine’s Best Lawyers list in 2014.