HIPAA privacy actions seen as warning
HHS hits Cignet with $4.3M penalty; Mass. General settles for $1M
Computerworld - Two separate enforcement actions taken this week by the U.S. Department of Health and Human Services for HIPAA privacy violations should serve as a warning to all healthcare entities, say privacy analysts.
The agency announced on Thursday that it had imposed a civil monetary penalty of $4.3 million on health insurer Cignet Health for violating the Health Insurance Portability and Accountability Act's privacy provisions.
This week's other enforcement action involved Massachusetts General Hospital, which agreed to pay HHS a total of $1 million to settle potential HIPAA privacy violations.
The action against Cignet represented the first time since HIPAA became law that such a fine has been imposed on an organization in the healthcare field over a privacy violation.
HHS said the fine was levied on Cignet for two reasons: It did not give 41 patients access to their medical records when they asked for it, and it did not subsequently cooperate with an investigation into the matter by HHS's Office for Civil Rights (OCR).
HIPAA's privacy rules require covered entities to provide patients with copies of their medical records no later than 60 days after they request the records, HHS noted.
Cignet's failure to do so earned it a $1.3 million penalty under HIPAA rules. An additional $3 million penalty was assessed against Cignet for its failure to cooperate with OCR investigations and for its repeated refusal to produce records in response to HHS demands.
The HHS settlement with Massachusetts General Hospital stems from a March 2009 incident in which documents containing protected health information on 192 patients were lost when an employee inadvertently left them on a subway train.
The actions could be a sign that HHS is getting serious about enforcing HIPAA's privacy requirements more stringently, said Deborah Peel, founder and chairwoman of the Patient Privacy Rights Foundation.
These actions are among "the most significant things that the administration has done for patient privacy," Peel said.
Both HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was passed as part of the 2009 stimulus package, contain provisions for protecting the privacy and security of patient data.
"But nobody has been paying attention to them. It's like mass civil disobedience by industry," Peel said. "So this is incredibly welcome for patients."
The penalties indicate that HHS is taking a hard look at business process failures that can result in privacy violations, said Peter MacKoul, president of consulting firm HIPAA Solutions LC.
Both of this week's actions stemmed from business process issues and not technology failures, MacKoul said. Weak business processes -- such as a failure to ensure that data on laptops is encrypted, or a failure to protect against the use of USB flash drives, or the improper handling of hard copies -- often result in privacy breaches, he said.
"That is the kind of violation that happens a lot," he said.
Entities that fall under HIPAA's jurisdiction need to pay attention to such issues but often do not, MacKoul said. "It is interesting that HHS is using the privacy rule" to go after such violations, he said.
Importantly, the fine against Cignet also shows that HHS is prepared to come down hard on healthcare companies that show willful neglect in protecting patient data, he said.
"To me it is very significant that they are willing to apply willful neglect [against Cignet] to the tune of $3 million," MacKoul said. "It's one thing when they write it into law. It's a totally different story when they actually enforce it."
"Covered entities should take note," he said.
The latest HIPAA enforcement actions follow news this week that the number of people whose healthcare data is lost or stolen continues to soar.
A report released earlier this week by the accounting firm Kaufman, Rossin & Co. showed that in the first year since the HITECH Act was passed, about 5 million people had their personal health information compromised, either as a result of theft or because the data was lost.
A total of 166 data breach incidents (each involving more than 500 individuals) had been reported to HHS as of Sept. 10, 2010. The largest incident involved a lost laptop containing unencrypted protected health information on 1,222.000 individuals, the report said.
In a statement, Massachusetts General Hospital said it will be issuing new or revised polices on issues such as the removal and transportation of material containing protected health data, laptop encryption and USB drive encryption. "After these policies and procedures are issued, we will be providing mandatory training on them. All members of our workforce must participate in the training and certify that they have completed it," the hospital said in a statement.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
- NSA defends collecting data from U.S. residents not suspected of terrorist activities
- Groups fear bill would allow free flow of data between private sector and NSA
- Google's move into home automation means even less privacy
- Bill to require warrant for email searches gains ground in House
- Coming soon to a fridge near you -- targeted ads
- Snowden leaks prompt tech firms to tout privacy, transparency policies
- License reader lawsuit can be heard, appeals court rules
- Is EU's 'right to be forgotten' really the 'right to edit the truth'?
- Tails 1.0: A bootable Linux distro that protects your privacy
- Privacy jitters derail controversial K-12 big data initiative
Read more about Privacy in Computerworld's Privacy Topic Center.
- Agility & Scalability for Oracle EBS R12 and RAC on VMware vSphere 5 This white paper outlines extensive performance and scalability testing of Oracle EBS applications on a Vblock™ Systems with vSphere 5.
- Oracle and VCE: The Next Step in Integrated Computing Platforms In this ESG Lab review you will learn how a VCE system driven by Oracle, delivers the perfect blend of high performance and...
- Migrate Oracle Apps from RISC/UNIX to Virtualized x86 Ready to move Oracle to a virtualized environment? This brief explains how true converged infrastructure can help you migrate from a RISC/UNIX environment...
- Step Out of the Bull's-Eye Learn about the evolution of targeted attacks, the latest in security intelligence, and strategic steps to keep your business safe.
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily... All Privacy White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!