The trusted source for
healthcare information and
Million-dollar-plus fines signify tougher enforcement of HIPAA
HITECH rules pave way for much higher penalties
Fines of $4.3 million for Maryland-based Cignet Health and $1 million for Massachusetts General Hospital in Boston should give hospital staff reason to take notice of the stricter enforcement and higher fines included in the Health Information Technology for Economic and Clinical Health (HITECH) Act.
"Although many compliance officers see these headlines and are thankful it wasn't their organization, the real message in all of the news stories from OCR [Health and Human Services' Office of Civil Rights] was the OCR representative's repetition of the statement that OCR is serious about enforcing HIPAA regulations," says Helen Oscislawski, Esq., principal with Attorneys at Oscislawski, Princeton, NJ. "Also, each case that is prosecuted gives compliance officers a snapshot of what led to the violation and what OCR expects the organization to do to bring their organization into compliance."
Because the resolution agreements between OCR and institutions found to be in violation of HIPAA privacy or security rules are published on the Health and Human Services' web site, compliance officers can see what actions OCR expects the organization to take, says Oscislawski. "With each resolution agreement posted, it becomes more difficult for a compliance officer to say he or she didn't know OCR expected policies or compliance programs to contain certain elements," she explains. "These resolution agreements should be reviewed by all compliance officers when they are posted."
The agreements can serve as a checklist in the evaluation of an organization's own compliance program, she adds. For example, in the Massachusetts General case, an employee took paper copies of medical records home to finish some work, says Oscislawski. "The next day, when going to work, she forgot to pick up the bag containing the records and left them on the subway," she explains. The resolution agreement for Massachusetts General includes the $1 million fine along with a requirement to revise policies to address removal of protected health information (PHI) from the hospital premises, Oscislawski says. Although paper documents were involved in this case, the agreement also provides for Massachusetts General to address encryption of PHI on laptops, flash drives, and other electronic media, she points out.
"HIPAA does not mandate the use of encryption for all PHI, but in this and other resolution agreements, encryption is often required," she says. "Although encryption is not required, it is obviously viewed as a best practice."
When it comes to removal of PHI from the premises, it is difficult to say an employee should never remove information, due to the nature of some people's work, says Dave Sina, JD, vice president of compliance for Healthcare Compliance Consulting in St. Paul, MN. "The best policy related to removal of PHI from the premises is one that allows it for specific reasons and only with the approval of an upper level manager," Sina suggests. "Approval should be given after the reason is identified, the identity of the person is clear, and the steps to protect the information is clarified."
The Cignet Health case is not a case of removal or loss of PHI, but instead it focuses on the organization's refusal to provide 41 patients with copies of their medical records within the 30 to 60 days of the request, says Oscislawski. The $4.3 million civil monetary penalty imposed on Cignet Health could have been avoided by simply responding to the reasonable requests of patients for their own medical records, according to the case laid out by the Department of Health and Human Services (HHS), she points out. "It is not yet clear why Cignet denied patients access to their records but there is no reason to withhold a patient's records," she adds.
Even though Cignet failed to give patients access to records, the size of the fine could have been reduced if the organization had responded to letters from HHS and cooperated with the investigation, says Oscislawski. Eventually, Cignet produced the records requested by HHS, but they included them in 59 boxes that included 4,500 patient records, she says.
"It's ironic that when they provided the records requested, they also disclosed that many other records for which there was no reason to disclose," Oscislawski adds.
HITECH allows extra penalties
The lesson to learn from the Cignet fine is to work with OCR, Oscislawski says.
"The initial fine for denying patients access to their records in a timely manner was $1.3 million, but an additional $3 million was added for failure to cooperate with OCR and to provide the records within the timeframe set during the investigation," she says.
The punitive fines are a key feature of HITECH, Sina says. "An organization can be fined up to $50,000 per day per violation," he explains. In Cignet's case, the organization showed "willful neglect" and failed to cooperate in the investigation from March 17, 2009, to April 7, 2010, he adds.
"Prior to HITECH there was no opportunity for OCR to assess [triple] damages, which has been done in some cases, or to assess additional penalties based on number of violations," Sina explains. Although smaller healthcare organizations might have taken a chance in the past and chosen not to implement HIPAA compliance programs due to cost, the potential for additional fines makes compliance more important than ever, he adds.
In addition to enhancement of policies, a key component of most resolution agreements is the provision and verification of employee education. Not only do employees need to understand the hospital's policies about protection of PHI, but also they need to know how to report potential breaches, says Oscislawski.
"I don't have a crystal ball," admits Oscislawski. "I do, however, see stricter enforcement and larger fines for HIPAA and HITECH violations to continue."
For more information about tips to improve compliance, contact:
Nancy Dean, JD, MPA, CHC, CHRC, Vice President of Audit and Compliance Privacy Officer, NYU Langone Medical Center, 550 First Ave., New York, NY 10016. Telephone: (212) 404-4078. E-mail: Nancy.Dean@nyumc.org .
Helen Oscislawski, Esq., Principal, Attorneys at Oscislawski, 22 Caroline Drive, Princeton, NJ 08540. Telephone: (609) 385-0833. Fax: (609) 385-0822. E-mail: Helen@oscislaw.com.
Dave Sina, JD, Vice President of Compliance, Healthcare Compliance Consulting, 5755 Heather Ridge Drive, St. Paul, MN 55126. Telephone: (651) 484-4303. Fax: (651) 484-6213. E-mail: firstname.lastname@example.org.
To see copies of resolution agreements and press releases regarding HIPAA cases, go to www.hhs.gov/ocr/privacy and select "news archive" on the left navigational bar. Scroll through the press releases to find copies of descriptions of fines and investigations, resolution agreements, and corrective action plans with Massachusetts General (2/24/2011), Cignet Health (2/22/11) as well as other organizations.
To see a copy of the New York University Langone Medical Center "badge buddy" and read more about the compliance program, go to http://compliance.med.nyu.edu. Select "Help line" from the top navigational bar.