Second Major Fine This Week Shows OCR Really is Ramping Up HIPAA Enforcement
Earlier this week, OCR levied a $4.3 million fine for HIPAA violations against Cignet Health. Now, just days later, OCR is taking Massachusetts General Hospital and its physicians organization to task, entering into a resolution agreement that includes a $1 million settlement and a requirement for the hospital to take corrective action.
Last May, OCR officials promised enforcement was coming. These comments were reiterated late in 2010 with an emphasis on 2011 being the year to focus on enhanced enforcement activity. And just this week at HIMSS, OCR officials explained once again that HIPAA enforcement of the Security and Privacy Rules, as well as the Data Breach Notification requirements is imminent. Now we are seeing the teeth behind the bark.
As reported by HealthcareInfoSecurity.com on February 24, 2011:
With the two announcements of penalties for HIPAA privacy rule violations, HHS' Office for Civil Rights appears to be giving strong signals that its long-promised plans to ramp up enforcement efforts are now a reality. "We hope the healthcare industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement," said OCR Director Georgina Verdugo
Massachusetts General Hospital is being penalized for the loss of 192 billing records for HIV/AIDs patients. These records included insurance details and sensitive diagnostic information. The loss occurred when an employee accidentally left the records on the subway during the daily commute. This is a real-world scenario that just begs for more employee training, more stringent data access restrictions, and better policies and procedures.
Cignet failed to provide copies of patient records when they were requested by patients, and then opted not to cooperate with the OCR investigation. This seems to have been a leadership issue, where perhaps the decision-makers just weren’t up-to-speed on the consequences of their actions.
If you are in a position to help your organization avoid these kinds of events, then Clearwater would like to help. A HIPAA security assessment will not only help meet HIPAA compliance requirements, but it will also help a healthcare organization or business associate identify gaps and solutions for remediation – before an incident occurs. We can also help your organization implement some tried and true HIPAA security policies and procedures so you don’t have to reinvent the wheel or worry about whether your organization is implementing best practices.