15 March 2018
The New York Attorney General (‘AG’), Eric T. Schneiderman, announced, on 6 March 2018, a $575,000 settlement with EmblemHealth and its subsidiary, Group Health Incorporated (‘the Settlement’), over a disclosure of data discovered in 2016, after EmblemHealth mailed 81,122 policyholders, including 55,664 New York residents, paper copies of their policy documents revealing their social security numbers, in violation of the Health Insurance Portability and Accountability Act of 1996 (‘HIPAA’) and Section 399-ddd(2)(e) of the New York General Business Law.
Mark H. Francis, Associate at Reed Smith LLP, told DataGuidance, “There has been a noticeable uptick in state attorneys general exercising their authority on data privacy and security matters in recent years, and that certainly includes the healthcare sector. While protected health information in the US might be viewed by some as largely being the domain of federal authorities, the Settlement is a reminder that it is very much subject to both federal and state oversight. Even though EmblemHealth’s incident was reported to a federal regulator (the Office for Civil Rights) under HIPAA, the AG reinforced the notion that state authorities have and are prepared to exercise enforcement rights under both HIPAA and state laws governing privacy and breach notification.”
The Settlement is a reminder that [protected health information] is very much subject to both federal and state oversight
As part of the Settlement, EmblemHealth is required to conduct a comprehensive assessment of the security risks associated with mailing policy documents to policyholders, submit a report of the findings to the AG, review and revise its policies based on the same and notify the AG of any action it takes. In addition, EmblemHealth is required to improve oversight of its mailing practices, including by ensuring that workforce members are adequately trained in relation to their mailing functions, as well as by ensuring that it complies with the minimum necessary standard under the HIPAA Privacy Rule, and that it reports and remedies any violations as soon as practicable. For a period of three years, it must also report any security incidents involving the loss or compromise of New York residents’ information to the AG that might not otherwise trigger the reporting requirements under New York law.
Francis highlighted, “While HIPAA may set a [baseline] for health data, states are free to impose additional obligations, and they have done so both broadly and in particular, in areas such as mental health, communicable diseases, and substance use disorders. It is important to keep in mind that many types of personal information, such as social security numbers, as well as biometric, health and demographic information, may be subject to explicit state privacy laws.”
PASCALE ARGUNARENA | Privacy Analyst