The Health and Human Services’ (HHS) Office of Civil Rights (OCR) issued a $4.3 million fine to Cignet Health of Prince George’s County, MD (Cignet) for violating the Privacy Rule of HIPAA. Cignet refused to provide 41 patients with access to their medical records. Under HIPAA, patients are entitled to have access to their medical records within 30 days and no later than 60 days from the initial request.

Not only did Cignet not provide the patients with access to their medical records, they also refused to cooperate with OCR during the investigation of the complaints. Below is a section from the HHS posting regarding this fine.

During the investigations, Cignet refused to respond to OCR’s repeated demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints, including failure to produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.

What could Cignet be thinking? This is a question that many will be asking. It clearly shows that ignoring requests by HHS or OCR is not a good move.

Willful Neglect
Fines under HIPAA fall into different categories based on the severity of the violations. The most severe and most costly category is for willful neglect of HIPAA. Previously willful neglect was a vague category that was not clearly defined. Well now we have very good idea of what willful neglect looks and feels like. One thing to especially note is that if OCR starts to investigate your organization it is in your best interest to comply with the investigation.

Breakdown of the fines
The $4.3 million fine is actually a combination of two separate fines. The fines are called civil money penalty (CMP). Again from HHS:

The CMP is based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The two fines are broken down as this:

Covered entities are required under law to cooperate with the Department’s investigations. OCR found that Cignet’s failure to cooperate with OCR’s investigations was due to willful neglect. The CMP for these violations is $3 million.

The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations is $1.3 million.

The clear takeaway from the Cignet fines is that HHS and OCR are sending a clear message that HIPAA is not to be ignored. I would take that as both the HIPAA Privacy and Security Rules. HHS and OCR have taken a lot of knocks for not enforcing the HIPAA and HITECH acts. This might be a wakeup call to everyone that it may no longer be that case. The final paragraph on the HHS site makes this very clear.

“Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and seriously consider their compliance with all of HIPAA’s requirements,” said Director Verdugo. “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”

Cross-posted at HIPAA Secure Now!

The consulting company Deloitte release a study called Privacy and Security in Health Care: A Fresh Look. (PDF)

The report is a 20 page overview that addresses the following:

• Provides an update about current and emergent privacy and security challenges in health care;
• Examines notable hot spots where current policies, rules, and regulations are a focus of industry risk;
• Reviews the state of preparedness for privacy and security risk throughout the industry;
• Suggests an approach to assessing an organization’s current preparedness.

They have a good graph that shows a breakdown of breaches since 2009 that have been reported to HHS.

As you can see, laptops continue to be the leading source of data breaches.

The study went on to look at other healthcare industry studies and the results show that organizations are clearly not doing enough to protect patient privacy.

Some highlight of the studies include:

• 85% of hospitals are not in compliance with HITECH
• Data breaches cost organizations on average $1 million annually
• The top three causes of a data breach are: unintentional employee action,lost or stolen computing devices, and third-party snafu
• Inadequate budget and lack of trained staff or end users are top two reasons for data breach

The findings from a CMS study were eye opening:

• CEs did not perform a risk assessment and did not have a formalized, documented risk assessment process
• Risk assessments were outdated and did not address all potential areas of risk
• CEs had few and inadequate policies and procedures and they did not address the HIPAA Security Standards and Implementation Specifications
• Documented procedures were inconsistent with procedures followed by CE personnel
• CEs did not conduct security awareness training prior to granting user access
• CEs had BAs but Business Associate Agreements (BAAs) did not  exist between the two parties or existing BAAs were inadequate

The report is very interesting and worth a thorough read.

Backup tapes have been stolen, from a van, that contained 1.7 million records of patients.  The tapes had patient history and electronic protected health information (ePHI) dating back 20 years.  The information on the tapes includes names, addresses, Social Security numbers and medical information.

This is a huge data breach affecting an enormous amount of people.  Each of the 1.7 million people could  be in danger of identify theft and other identity related crimes.  Stop for a second and think through the value on the black market that this data including Social Security numbers, patient health records, name and addresses would be worth.

The first question that MUST be asked is: why were these backup tapes not encrypted?  Let’s not glaze over this.  This is a crime to jeopardize this many people.  Encrypting backup tapes is not only cheap but it is very easy to do.  It is just a setting in the backup software.  It is just an encryption password.

The second question is: why is the HIPAA Security Rule not being enforced?  How can we watch as millions and millions of patients are having their social security numbers and health records being breached.  How can we ignore the government regulations that were put in place to protect patients?  How many patients must be victims of identity theft before we say enough is enough!?