The action against Cignet represented the first time since HIPAA became law that such a fine has been imposed on an organization in the healthcare field over a privacy violation. HHS said the fine was levied on Cignet for two reasons: It did not give 41 patients access to their medical records when they asked for it, and it did not subsequently cooperate with an investigation into the matter by HHS’s Office for Civil Rights (OCR).
HIPAA’s privacy rules require covered entities to provide patients with copies of their medical records no later than 60 days after they request the records, HHS noted.
Cignet’s failure to do so earned it a $1.3 million penalty under HIPAA rules. An additional $3 million penalty was assessed against Cignet for its failure to cooperate with OCR investigations and for its repeated refusal to produce records in response to HHS demands.
The HHS settlement with Massachusetts General Hospital stems from a March 2009 incident in which documents containing protected health information on 192 patients were lost when an employee inadvertently left them on a subway train.
…Both HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was passed as part of the 2009 stimulus package, contain provisions for protecting the privacy and security of patient data.
…The penalties indicate that HHS is taking a hard look at business process failures that can result in privacy violations, said Peter MacKoul, president of consulting firm HIPAA Solutions LC.
Both of this week’s actions stemmed from business process issues and not technology failures, MacKoul said. Weak business processes — such as a failure to ensure that data on laptops is encrypted, or a failure to protect against the use of USB flash drives, or the improper handling of hard copies — often result in privacy breaches, he said.
…The latest HIPAA enforcement actions follow news this week that the number of people whose healthcare data is lost or stolen continues to soar. A report released earlier this week by the accounting firm Kaufman, Rossin & Co. showed that in the first year since the HITECH Act was passed, about 5 million people had their personal health information compromised, either as a result of theft or because the data was lost.
…The largest incident involved a lost laptop containing unencrypted protected health information on 1,222.000 individuals, the report said.
http://www.computerworld.com/s/article/9211359/HIPAA_privacy_actions_seen_as_warning?source=CTWNLE_nlt_dailyam_2011-02-25