The General Hospital Corporation and Massachusetts General Physicians Organization, Inc. (Mass General) has agreed to pay the U.S. government $1,000,000 to settle potential violations of the HIPAA Privacy Rule.
Mass General, one of the nation’s oldest and largest hospitals, signed a Resolution Agreement with HHS that requires it to develop and implement a comprehensive set of policies and procedures to safeguard the privacy of its patients. The settlement follows an extensive investigation by OCR.
“We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information,” said OCR Director Georgina Verdugo.
The incident giving rise to the agreement involved the loss of protected health information (PHI) of 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS. OCR opened its investigation of Mass General after a complaint was filed by a patient whose PHI was lost on March 9, 2009. OCR’s investigation indicated that Mass General failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule.
This impermissible disclosure involved the loss of documents consisting of a patient schedule containing names and medical record numbers for a group of 192 patients, and billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of providers for 66 of those patients. These documents were lost on March 9, 2009, when a Mass General employee, while commuting to work, left the documents on the subway train. The documents were never recovered.
“To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules,” said Verdugo. “A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”
If you believe that a person or organization covered by the Privacy and Security Rules has violated your health information privacy rights or otherwise violated the Privacy or Security Rules, you may file a complaint with OCR at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html
Read the HHS Press Release http://www.hhs.gov/news/press/2011pres/02/20110224b.html
Read the Resolution Agreement and CAP http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/massgeneralra.pdfAdditional information about OCR’s enforcement activities can be found at www.hhs.gov/ocr
MIAOULIS NOTE: This was not a fine, but an agreed upon payment of 1 Million. Following yesterdays 4.3 million, organizations should pay close attention to the future.
Thursday, February 24, 2011
Tuesday, February 22, 2011
HHS Imposes a $4.3 Million Civil Money Penalty for Violations of the HIPAA Privacy Rule
February 22, 2011
OCR has issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Md., (Cignet) violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS has imposed a civil money penalty (CMP) of $4.3 million for the violations, representing the first CMP issued by the Department for a covered entity’s violations of the HIPAA Privacy Rule. The CMP is based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
“Ensuring that Americans’ health information privacy is protected is vital to our health care system and a priority of this Administration. The U.S. Department of Health and Human Services is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule,” said HHS Secretary Kathleen Sebelius.
In a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations is $1.3 million.
During the investigations, Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.
OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the Department’s investigations. The CMP for these violations is $3 million.
“Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements,” said OCR Director Georgina Verdugo. “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”
A copy of the Notice of Final Determination and Notice of Proposed Determination may be found at:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cignetcmp.html
Miaoulis Note: The article speaks for itself, you do not want willful neglect..
OCR has issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Md., (Cignet) violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS has imposed a civil money penalty (CMP) of $4.3 million for the violations, representing the first CMP issued by the Department for a covered entity’s violations of the HIPAA Privacy Rule. The CMP is based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
“Ensuring that Americans’ health information privacy is protected is vital to our health care system and a priority of this Administration. The U.S. Department of Health and Human Services is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule,” said HHS Secretary Kathleen Sebelius.
In a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations is $1.3 million.
During the investigations, Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.
OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the Department’s investigations. The CMP for these violations is $3 million.
“Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements,” said OCR Director Georgina Verdugo. “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”
A copy of the Notice of Final Determination and Notice of Proposed Determination may be found at:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cignetcmp.html
Miaoulis Note: The article speaks for itself, you do not want willful neglect..
Thursday, February 17, 2011
Henry Ford - Detroit Security Breach
Henry Ford Health Systems has notified patients of a possible security breach after a laptop was stolen out of an unlocked medical urology office September 24th. Representatives with the hospital said although the password was protected there is a possibility some personal patient information could be at risk.
The hospital began notifying affected patients in a letter mailed last week from Chief Privacy Officer Meredith Phillips. The letter explained what happened, what information was stored on the laptop and what steps the health system is taking to prevent future breaches of patient information.
http://www.clickondetroit.com/news/25801194/detail.html
The hospital began notifying affected patients in a letter mailed last week from Chief Privacy Officer Meredith Phillips. The letter explained what happened, what information was stored on the laptop and what steps the health system is taking to prevent future breaches of patient information.
http://www.clickondetroit.com/news/25801194/detail.html
Wednesday, February 16, 2011
New York City hospital system admits to massive data breach ($350 Million Potential Cost)
The New York City Health and Hospital Corp. (HHC) said that personal information of nearly 1.7 million hospital patients, staff, vendors, and contractors was stolen from a GRM Management Information Services van.
The data breach affected patients, staff, vendors and contractors at the Jacobi Medical Center, North Central Bronx Hospital, and their two affiliated health centers. The personal information was collected over the past 20 years and included names, addresses, social security numbers, patients’ medical histories, and the occupational/employee
The 14-hospital system said it was providing free credit monitoring and fraud resolution services for one year to the nearly 1.7 million people affected. According to the Ponemon Institute, data breaches cost $204 per compromised record. That figure would place the cost of this data breach in the range of $350 million.
http://www.infosecurity-us.com/view/15958/new-york-city-hospital-system-admits-to-massive-data-breach/
The data breach affected patients, staff, vendors and contractors at the Jacobi Medical Center, North Central Bronx Hospital, and their two affiliated health centers. The personal information was collected over the past 20 years and included names, addresses, social security numbers, patients’ medical histories, and the occupational/employee
The 14-hospital system said it was providing free credit monitoring and fraud resolution services for one year to the nearly 1.7 million people affected. According to the Ponemon Institute, data breaches cost $204 per compromised record. That figure would place the cost of this data breach in the range of $350 million.
http://www.infosecurity-us.com/view/15958/new-york-city-hospital-system-admits-to-massive-data-breach/
Friday, February 4, 2011
Texas Children’s Hospital Notifies New Hampshire
On December 29, Texas Children’s Hospital was notified by the Harris County District Attorney’s Office that its Accounts Payable system may have suffered a security breach. Names and Social Security Numbers of some employees and vendors who received checks between 1999 and 2011 may have been accessed by an unauthorized third party and the information misused to open electricity accounts.
In a letter dated January 28 to the New Hampshire Attorney General’s Office and to those potentially affected, TCH reports that they had not (yet) confirmed that there had been a breach, but in light of the concerns, were notifying all those potentially affected and offering them two years of free credit monitoring, fraud resolution, and identity theft insurance.
Four New Hampshire residents were among those being notified of the concern. Not all employees or vendors are potentially affected; only those who received checks sent from the Accounts Payable department.
http://www.databreaches.net/?p=16626
Miaoulis Note: Although the breach occured in Texas, it appears that Texas Children's notified the Attorney General in New Hamshire. There is some debate on the need to report to out of state Attorney Generals. Clearly the safest avenue is to report as specified in the states breach notification requirements.
In a letter dated January 28 to the New Hampshire Attorney General’s Office and to those potentially affected, TCH reports that they had not (yet) confirmed that there had been a breach, but in light of the concerns, were notifying all those potentially affected and offering them two years of free credit monitoring, fraud resolution, and identity theft insurance.
Four New Hampshire residents were among those being notified of the concern. Not all employees or vendors are potentially affected; only those who received checks sent from the Accounts Payable department.
http://www.databreaches.net/?p=16626
Miaoulis Note: Although the breach occured in Texas, it appears that Texas Children's notified the Attorney General in New Hamshire. There is some debate on the need to report to out of state Attorney Generals. Clearly the safest avenue is to report as specified in the states breach notification requirements.
Thursday, February 3, 2011
Iowa Hospital fires 3 due to Hawkeyes Players Illness...
IOWA CITY, Iowa -- The University of Iowa Hospitals and Clinics will fire three employees and hand two others unpaid five-day suspensions after an investigation confirmed they inappropriately breached the medical records of hospitalized football players, a spokesman said Thursday.
UI spokesman Tom Moore told The Associated Press the move "is an indication of our commitment to patient privacy." He said the breaches have been reported to federal regulators, who can choose whether to seek additional fines and jail time against those involved.
Moore said the hospital will not release the names of the employees involved or their positions. He said the school was "in the process" of seeking terminations and issuing the suspensions, but would not elaborate.
The hospital said last week it was launching an investigation into the possibility that the privacy of the medical records of the 13 Iowa football players who were hospitalized with a rare muscle disorder may have been breached. Moore said the investigation confirmed there were five responsible for the breaches, and that the student-athletes affected have been notified.
http://www.al.com/sports/index.ssf/2011/02/iowa_hospital_firing_3_workers.html
UI spokesman Tom Moore told The Associated Press the move "is an indication of our commitment to patient privacy." He said the breaches have been reported to federal regulators, who can choose whether to seek additional fines and jail time against those involved.
Moore said the hospital will not release the names of the employees involved or their positions. He said the school was "in the process" of seeking terminations and issuing the suspensions, but would not elaborate.
The hospital said last week it was launching an investigation into the possibility that the privacy of the medical records of the 13 Iowa football players who were hospitalized with a rare muscle disorder may have been breached. Moore said the investigation confirmed there were five responsible for the breaches, and that the student-athletes affected have been notified.
http://www.al.com/sports/index.ssf/2011/02/iowa_hospital_firing_3_workers.html
Tuesday, February 1, 2011
HIPAA final rules -- 2011
In its semi-annual regulatory update — published December 20, 2010, in the Federal Register — HHS writes that the deadline for the final rule on modifications to the HIPAA privacy, security and enforcement rules is March 2011.
Last month, Adam H. Greene, senior health information technology and privacy specialist with the Office for Civil Rights (OCR), said the HIPAA privacy and security rule enforcer plans to release final rules regarding HITECH and HIPAA “in 2011.” OCR’s intention is to avoid staggering compliance dates.
http://edocket.access.gpo.gov/ua101220/pdf/2010-30473.pdf
Last month, Adam H. Greene, senior health information technology and privacy specialist with the Office for Civil Rights (OCR), said the HIPAA privacy and security rule enforcer plans to release final rules regarding HITECH and HIPAA “in 2011.” OCR’s intention is to avoid staggering compliance dates.
http://edocket.access.gpo.gov/ua101220/pdf/2010-30473.pdf
Subscribe to:
Posts (Atom)