Updates to Chapter 13
Regulatory Enforcement – State
ARCHIVED UPDATES TO THE FIRST EDITION, INCORPORATED INTO THE SECOND EDITION
13.3 Illustrative State Data Security Enforcement Actions
Diamond Institute for Infertility and Menopause – New Jersey
In October, 2021, New Jersey’s acting AG announced settlement of a case against a healthcare provider arising out of a data breach that compromised the personal information of 14,663 patients. The state alleged violation of both the New Jersey Consumer Fraud Act, N.J.S.A. 56:8-1 et seq., and the HIPAA Privacy and Security Rules. It cited 20 specific ways in which Diamond fell short, including:
failing to conduct an accurate and thorough risk assessment of potential risk and vulnerabilities to the confidentiality, integrity and availability of ePHI;
failing to implement a mechanism to encrypt ePHI;
failing to review and modify security measures as needed to continue reasonable and appropriate protection of ePHI;
failing to implement proper procedures for creating, changing, and safeguarding passwords;
failing to implement a written contract or other arrangement with three business associates to document that it had obtained satisfactory assurances that the business associates will appropriately safeguard the ePHI; and
failing to implement procedures to verify that the person seeking access to ePHI is who they claim to be.
The company agreed to pay $495,000 and implement new data security measures to include:
developing and implementing a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats;
appointing a new HIPAA Privacy and Security Officer with the appropriate background and expertise to implement, maintain, and monitor the information security program;
training employees concerning information privacy and security policies, and the proper handling and protection of personal information, PHI, and ePHI;
developing and implementing a written incident response and data breach notification plan to prepare for and respond to data security incidents; and
implementing personal information safeguards and controls, including encryption, logging and monitoring, access controls, a risk assessment program, and password management.
Last updated: October 25, 2021.
Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.