not adhere to the Privacy Rule’s minimum necessary standard.
Notably, the complaint does not allege that MIE impermissibly
disclosed information or any other Privacy Rule violation.
State Data Protection and Data Breach Notification
Separately from the HIPAA violations, the State AGs also argued that MIE violated various state laws. At the time of the
breach, eight of the states—Arkansas, Florida, Iowa, Kansas,
Louisiana, Minnesota, Nebraska, and North Carolina—had
breach notification laws that required notification either within specific timelines or without unreasonable delay. The time
between MIE’s discovery of the breach and the notification of
impacted individuals ranged from 52 days to more than six
months, a violation of numerous state statutes, according to
Additionally, five of the states—Arkansas, Florida, Indiana,
Kansas, and Wisconsin—have laws that require companies to implement reasonable procedures to protect personal information.
According to the AGs, the same failings that trigger the HIPAA
violations also create a violation of these statutes; in the complaint, the AGs are treating the lack of protections required by
HIPAA as being unreasonable under the state laws, an important point regarding future potential enforcement of state laws
applicable to data breaches.
Finally, the twelve states that originally filed the suit had statutes prohibiting unfair or deceptive trade practices. The AGs included allegations that MIE violated these statutes in their complaint, pointing to the fact that MIE had previously made public
statutes in which they claimed that it would comply with HIPAA
and would protect patient information.
The AGs argue in the complaint that the MIE promoted its
ability to comply with HIPAA when promoting its services so
not following through on these promises is a deceptive act. This
deception is separate and apart from the underlying security
violations and the failure to notify people of the data breach in
a timely manner.
Putting the Case into Perspective
As discussed, there are a number of important aspects of this case.
First, this case is unusual because it marked the first time that numerous State AGs haveacted together to enforce HIPAA. The change
of strategy by state regulators could be because MIE mishandled
information about patients in multiple states. It is also noteworthy
that MIE is a BA rather than a CE. Although HIPAA enforcement actions were routinely brought against CEs in the previous decade, the
HITECH Act in 2009, which expanded jurisdiction over BAs, has increased the scrutiny on BAs. This lawsuit could be an indication that
state regulators are becoming increasingly focused on underlying
service providers like health record management system providers
that interact with CEs' patient information.
Second, it is worth noting that that the complaint focuses most-
ly on violations of basic HIPAA Security Rule requirements. The
types of security failures—weak credentials, lack of encryption,
no user access controls, and no security monitoring—can be
solved by fairly standard controls. In fact, it may have been that
in this action the State AGs were enforcing the proverbial low-
This case does not necessarily demonstrate that AGs are now
expecting a state-of-the-art security framework. Instead, it’s an
indication that meeting the basics is likely a way to keep HIPAA
CEs out of State AGs’ crosshairs—for now.
Third, other than the minimum necessary standard, the AGs
did not discuss the Privacy Rule and curiously did not include
any claims that MIE improperly disclosed PHI. The Privacy Rule
requires that both CEs and BAs disclose PHI only as permitted
by the Privacy Rule, and an impermissible disclosure is and of
itself a HIPAA violation.
Furthermore, the fact that the state law violations were imposed
separately from, and not overlapping, the HIPAA claims is important because by separating the claims, the AGs settled regarding
separate fines under each law.
Note that the AGs’ imposed state claims required different duties on the part of BAs when compared to HIPAA requirements.
As both HIPAA and the various state laws have significant penalties, this duplication can quickly increase the financial costs for
While the AGs’ unique approach to this case is significant, it is
unlikely that this type of action will become the norm. This particular action was the result of a large breach impacting many individuals in multiple states.
In situations without similar footprints, it is unlikely that multiple AGs would focus their attention on an entity, and even more
unlikely that they would coordinate their efforts. Additionally, as
mentioned above, given the nature of the alleged security failings,
the AGs were likely confident that they could prevail or reach a
worthwhile settlement for purposes of sending a message about
good baseline security safeguards to other vendors.
Finally, coordination among states takes a significant amount
of resources. Even with the $900,000 settlement for the State AGs
(and the $100,000 settlement with HHS), the State AGs likely invested much more in this case. Taken altogether, the handling of
this case has significance, but multistate lawsuits are unlikely to
become the norm.
Disclaimer: Polsinelli, LLP provides this material for informational purposes only. The choice of a lawyer is an important decision and should not be based solely upon publications. ¢
Iliana L. Peters ( firstname.lastname@example.org) is shareholder and Pasha Sternberg ( email@example.com) is an associate at Polsinelli, LLP.
Historic State AG
Quiz ID: Q1919008 | EXPIRATION DATE: SEPTEMBER 1, 2020
HIM Domain Area: External Forces
Article—“Historic State AG HIPAA Filing: An Important
Case to Understand”
Review Quiz Questions and Take the Quiz Based on
this Article Online at https://my.ahima.org/store
Note: AHIMA CE quizzes have moved to an online-only format.