HHS Lays Smack Down on HealthCare Orgs over HIPAA Violations
HIPAA, the Health Insurance Portability and Accountability Act of 1996 is no laughing matter and the U.S. Department of Health and Human Services (HHS) has made sure that message was clear in a pair of news releases this week. Protecting patient data is a very critical and growing focus amidst the growing threats in the world of cybersecurity, identity theft, and privacy concerns. It appears that HHS is increasing their activity and tone in regards to enforcement of the law, including this recent significant fine and settlement agreement.HHS recently announced an agreement from Massachusetts General Hospital to pay $1,000,000 dollars in settlement for violations of HIPAA stemming from an incident involving personal health information, also referred to as PHI. Interestingly enough, this instance was not a high-tech breach, but rather involved an employee that lost forms on a subway train. The number of affected patients was 192. In the settlement, the hospital agreed to enter into a Corrective Action Plan (CAP).
The incident giving rise to the agreement involved the loss of protected health information (PHI) of 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS. OCR opened its investigation of Mass General after a complaint was filed by a patient whose PHI was lost on March 9, 2009. OCR’s investigation indicated that Mass General failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule.
In another case, HHS has made the determination that Cignet Health of Prince George’s County, Md., violated not only provisions of the law, but also cited a failure to cooperate with the ensuing investigation. This marks the first civil money penalty ever for violations of HIPAA law.
In the course of investigation, the Office for Civil Rights (OCR) subpoenaed records over denied access to medical records. Complaints had been made that between September 2008 and October 2009, 41 patients were denied timely access to their medical records. HIPAA rules requires copies of medical records provided to patients within a time period of no more than 60 days and 30 days being the normal timeframe.
In a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations is $1.3 million.During the investigations, Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the Department’s investigations. The CMP for these violations is $3 million.
While neither of these incidents are tied to technology breaches, they may indicate a lack of effective technology measures to secure this data. One can only expect that HHS will continue these efforts and they will carry directly into the realm of technology.
Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements,” said OCR Director Georgina Verdugo. “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.
