Updates to Chapter 13

Regulatory Enforcement – State

ARCHIVED UPDATES TO THE FIRST EDITION, INCORPORATED INTO THE SECOND EDITION

13.3 Illustrative State Data Security Enforcement Actions

Diamond Institute for Infertility and Menopause – New Jersey

In October, 2021, New Jersey’s acting AG announced settlement of a case against a healthcare provider arising out of a data breach that compromised the personal information of 14,663 patients. The state alleged violation of both the New Jersey Consumer Fraud Act, N.J.S.A. 56:8-1 et seq., and the HIPAA Privacy and Security Rules. It cited 20 specific ways in which Diamond fell short,  including:

  • failing to conduct an accurate and thorough risk assessment of potential risk and vulnerabilities to the confidentiality, integrity and availability of ePHI;

  • failing to implement a mechanism to encrypt ePHI;

  • failing to review and modify security measures as needed to continue reasonable and appropriate protection of ePHI;

  • failing to implement proper procedures for creating, changing, and safeguarding passwords;

  • failing to implement a written contract or other arrangement with three business associates to document that it had obtained satisfactory assurances that the business associates will appropriately safeguard the ePHI; and

  • failing to implement procedures to verify that the person seeking access to ePHI is who they claim to be.

The company agreed to pay $495,000 and implement new data security measures to include:

  • developing and implementing a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats;

  • appointing a new HIPAA Privacy and Security Officer with the appropriate background and expertise to implement, maintain, and monitor the information security program;

  • training employees concerning information privacy and security policies, and the proper handling and protection of personal information, PHI, and ePHI;

  • developing and implementing a written incident response and data breach notification plan to prepare for and respond to data security incidents; and

  • implementing personal information safeguards and controls, including encryption, logging and monitoring, access controls, a risk assessment program, and password management.

Last updated: October 25, 2021.

Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.