Two recent enforcement Actions
On February 24, 2011, the Office of Civil Rights ("OCR") which enforces HIPAA for the Department of Health and Human's Services ("DHHS") announced a Resolution Agreement with the entities that make up Massachusetts General Hospital and its practices. Mass General agreed to pay $1,000,000 in fines for "potential" violations of HIPAA, arising from the loss of PHI by an employee on subway train in March 2009. The PHI included names, diagnoses, including HIV/AIDS information, billing data and more.
Quotes from the OCR: “We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information,” said OCR Director Georgina Verdugo.
“To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules,” said Verdugo. “A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”
On February 4, 2011, in a Notice of Final Determination, DHHS found that a number of entitied doing business as Cignet Health in Prince George County, Maryland (“Cignet”) had violated the HIPAA Privacy Rule to the tune of a $4.3 million dollar civil money penalty (CMP), representing the first CMP issued under violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The claim was that Cignet had failed to provide 41 patients with access to their records, leading to a $1.3 million dollar fine. The bigger chunk of change ($3 million) came as a result of what the OCR called Cignet's failure to respond to the OCR subpoena or cooperate with the DHHS investigation.
More OCR quotes: “Today the message is loud and clear: HHS is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule and ensuring provider cooperation with our enforcement efforts,” said OCR Director Georgina Verdugo.
“Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and seriously consider their compliance with all of HIPAA’s requirements,” said Director Verdugo. “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”
And, if that isn't enough, last week Adam Greene, Senior Health IT and Privacy Advisor to the OCR, outlined a number of changes to existing regulations at the recent HIMSS conference in Orlando. According to press coverage of the conference, the final HITECH privacy, security and breach notification rules will arrive in 2011 and be issued together, Greene said, to minimize staggered compliance dates and changes to notices of privacy practices. He apparently emphasized certain key HITECH changes, including:
* Patients' access to their treatment information in electronic format
* Ability of EHRs to handle requested restrictions where patients pay out of pocket
* Exponentially higher CMPs, starting at $50,000 up to $1,500,000 for identical violations
* Accounting for disclosures of patient information for treatment, payment and health care operations information from your EHR (notwithstanding the near impossibility of that task, according to every provider I've ever encountered.)
What does this mean for you, as a provider? Do your gap analysis and risk assessments, get your policies in place and train your staff, monitor your program, and keep HIPAA and HITECH on your regular agenda. These changes can be initiated in a methodical, step-by-step fashion, but by the look of things in Washington, they absolutely must be done.
No comments:
Post a Comment