Health Information Management

HIPAA enforcement actions take center stage as breaches, violations, and penalties pile up

HIM-HIPAA Insider, March 22, 2011

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

HIPAA enforcement actions have been all over the news in the last month. It began with the Office for Civil Rights’ (OCR) issuance of the first civil money penalty for a privacy rule violation—or in this case, violations—on February 22.

The OCR fined Cignet Health, of Prince George’s County, MD, $4.3 million for violating the rights of 41 patients when it denied them access to their medical records, which they requested between September 2008 and October 2009. In addition, OCR levied a large portion ($3 million) of the penalty because Cignet did not respond to OCR’s demands to produce the records and did not cooperate with investigations.
Then, on February 24 HHS announced that Massachusetts General Hospital has agreed to pay $1 million to settle allegations it violated patient privacy laws when a hospital employee lost protected patient medical information on a subway in March 2009.
HHS characterized the loss as a “potential violation” of HIPAA. Mass General signed a “resolution agreement” that requires it to develop and implement a comprehensive set of policies and procedures to safeguard patient privacy.
In a statement, MGH privacy officer Deborah Adair said the hospital will issue new or revised policies and procedures with respect to physical removal and transport of protected health information (PHI) from hospital premises, laptop encryption, and USB drive encryption.
More recently, and for the second time in less than a year, health insurance giant Health Net, Inc., is involved in a potentially major breach of clients’ PHI.
The insurer, which serves 6 million clients nationwide, is investigating the potential loss of nine server drives that included PHI and personal information of 1.9 million past and current enrollees from its data center operation in Rancho Cordova, CA, according to a March 14 California Department of Managed Health Care press release.
Though Health Net did not specify how many individuals were affected in its own March 14 press release, DMHC came to the 1.9 million total after including the records of 622,000 of DMHC’s state enrollees in the breach.
If the DMHC’s numbers hold up, it would be the largest breach of unsecured PHI reported to the OCR. The HIPAA privacy and security rule enforcer began posting entities reporting breaches of 500 or more individuals in February, 2010, per a provision of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Editor’s note: This information was excerpted from the HCPro HIPAA Update blog. Click the links above to access detailed stories and information on each topic.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular