Twelve state attorneys general have brought suit against two medical Information Technology companies. The suits allege that Medical Informatics Engineering Inc. and its subsidiary, NoMoreClipboard LLC, had poor security practices that led to medical data breaches, impacting close to four million patients. This case is the first coordinated multi-state attorney general HIPAA- related action, according to JD Supra. The AGs are accusing the companies of not taking adequate steps to protect information, and failing to notify patients of known breaches in a timely manner.
Specifically, the complaint claims the companies failed to engage an active security monitoring and alert system, and that they did not encrypt PHI within their systems. It is also alleged that no assessments of the potential risks relating to PHI was completed, nor was HIPAA training conducted. Finally, the complaint alleges that the companies did not have or adhere to reasonable and appropriate standards for protecting patient information. This case evidences a trend of states enforcing consumer and data privacy laws.
This complaint demonstrates the expectations regulators have regarding the types of security measures companies should have in place for protecting PHI. Multi-state litigation enforcing HIPAA violations could significantly increase the potential penalties applicable to companies that do not have the proper safeguards in place.
Not sure you have adequate security measures in place? Contact HIPAAcraticRx to schedule a Security Risk Assessment (SRA). We will provide a detailed report as to where you fall short, and help you mitigate issues ... for complete confidence moving forward.