'Wall of Shame' exposes 21M medical record breaches

Notification, reporting part of new rules under the Health Information Technology for Economic and Clinical Health Act

1 2 Page 2
Page 2 of 2

But not all the data potentially exposed is lost by the health providers themselves. For example, in a statement issued in April last year, Health Net said it was notified by IBM, its IT vendor at the time, that it could not account for "several server drives," which contained 1.9 million patient records.

Health Net said it acted "promptly, decisively and appropriately to protect affected individuals."

Health Net stated that it worked with IBM and other experts to investigate the incident, and it notified affected individuals whose records had gone missing "in fewer than 60 days, in accordance with federal law." The company stated that no evidence has been found to indicate the records have been used inappropriately.

"We voluntarily agreed to provide affected individuals with two years of credit monitoring, $1 million in insurance protection and reimbursement for costs associated with the freezing and unfreezing of an individuals credit," Health Net stated.

Hospitals, insurance plans and physician practices can avoid penalties by simply encrypting the health care data or by destroying the electronics that house the data at end of life. Unfortunately, too few organizations are getting the message.

"We're seeing daily reports of doctors offices being broken into for the CPU, the hard drive," Seeger said. "It's not just the mobile device. It's anything electronic that people can sell."

Under the HITECH Act, there are four categories of violations that reflect increasing levels of culpability. A maximum penalty amount of $1.5 million can be levied for each violation.

When healthcare organizations violate HIPAA privacy rules, the U.S. Department of Health and Human Services (HHS) hammers out a resolution agreement with the organization. Under the agreement, the healthcare organization performs certain obligations, such as staff training, and makes reports to HHS, typically for a period of three years. The agreement likely would also include the payment of a resolution amount.

When HHS is not able to reach a satisfactory resolution through demonstrated compliance or corrective action, "Civil Monetary Penalties" may be imposed for noncompliance. To date, HHS has entered into nine resolution agreements and issued civil monetary penalties against only one organization.

HHS hit Cignet Health of Prince George's County with a $4.3 million civil monetary penalty. Other top breaches are still under investigation, Seeger said.

OCR said it found that Cignet violated 41 patients rights by denying them access to their medical records when requested between September 2008 and October 2009.

"During the investigations, Cignet refused to respond to OCRs demands to produce the records. Additionally, Cignet failed to cooperate with OCRs investigations of the complaints and produce the records in response to OCRs subpoena," HHS stated in a news release at the time.

On March 9, Blue Cross Blue Shield of Tennessee (BCBS) settled with the HHS to the tune of $1.5 million for 57 unencrypted computer hard drives that were stolen from a leased storage facility in 2009. BCBS has since encrypted all of its hard drives, representing 885TB of data. BCBS said it spent more than 5,000 man-hours on the encryption effort, which cost the company $6 million.

In June 26, the Alaska Department of Health and Social Services (DHSS) also settled with the HHS for $1.7 million, along with a three-year corrective action plan for the theft of an USB hard drive rom an employee's vehicle. The hard drive had a relatively small number of records on it, representing only 501 people. That case represents the first HHS action against a state agency.

"The settlement is based on multiple violations of the Rule, not the number of records involved in the incident that sparked the investigation," Seeger said.

The OCR found "long-standing non-compliance with the HIPAA Security Rules."

"I think the fines and the list sends a strong signal," she added.

Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at  @lucasmearian or subscribe to Lucas's RSS feed . His e-mail address is lmearian@computerworld.com.

See more by Lucas Mearian on Computerworld.com.

Copyright © 2012 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon