The Obama Administration continues to accelerate its enforcement of the HIPAA Privacy and Security rules. This month saw two additional $1M+ fines.
On February 4, 2011, the Department of Health and Human Services (HHS) issued its first-ever Civil Monetary Penalties. The fines were levied against a Washington DC area clinic/health plan, Cignet Health, which received a whopping $4.3 million fine for failing to provide 41 individuals access to their medical records. Cignet Health ignored multiple notifications by the Office of Civil Rights, so the largest portion of this fine was a $3.0 million levy for failure to cooperate. Cignet ignored multiple letters and phone calls from HHS. The other $1.3 million was for the 41 sets of violations.
On February 14, 2011, HHS negotiated a corrective action plan, with a settlement amount of $1.0 million, with the prestigious
Mass General is acknowledged as one of the top hospitals in the U.S.
Massachusetts General Hospital for a violation that occurred on March 9, 2009. An employee left documents on a subway train that included a patient schedule containing names of 192 patients, and billing forms with name, date of birth, medical record number, health insurer and policy number, diagnosis and name of provider for 66 of those patients.
“To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules,” said Office of Civil Rights Director Georgina Verdugo. “A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”
A review of the full corrective action plan shows the feds’ thinking regarding appropriate policies and procedures for this organization. Mass General agreed to develop, maintain and revise policies governing
- physical removal and transport of Protected Health Information (PHI)
- laptop encryption
- USB drive encryption
Training, and records of training, are both included in the corrective action plan. The hospital is to distribute these policies to all members of its workforce who have access to PHI, and shall distribute its policies and procedures to new members of its workforce within 30 days of beginning their service. Mass General must retain copies of all materials used in the training.
Lessons from these cases include paying attention to any PHI which leaves the premises. While most of the recent cases involve lost laptops or other electronic breaches, this was an old-fashioned paper loss. Address the topic of PHI leaving the premises with written policies, technical safeguards, and robust training. And, of course, if you get any letters or phone calls from HHS, make sure you answer them!
