Archive for February, 2011
Q. An employee of a physician practice, who is not authorized to release a patient’s billing information, shares a patient’s outstanding balance and other billing information with another individual. Has the employee inappropriately disclosed the patient’s PHI?
A. The employee’s actions constitute a breach if the employee released the patient’s financial information without the patient’s authorization and for purposes other than payment or healthcare operations. The privacy rule specifically addresses billing information.
Any financial information pertaining to patients (e.g., name or address, specific health-related information, patient financial information, patient demographic information) is considered PHI and thereby enjoys the protection of the privacy rule.
Employees responsible for a breach of PHI—a federal crime since February 17, 2009, under the HITECH Act—should be subject to sanctions.
Editor’s note: Chris Apgar, CISSP, answered this question. Apgar is president of Apgar & Associates, LLC, in Portland, OR. He has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.
By Cheryl Clark, for HealthLeaders Media
Massachusetts General Hospital has agreed to pay $1 million to settle allegations it violated patient privacy laws when a hospital employee lost protected patient medical information on a subway in March, 2009, federal and hospital officials announced Thursday.
The loss was said to be a “potential violation” of HIPAA, according to HHS. Mass General signed a “resolution agreement” that requires it to develop and implement a comprehensive set of policies and procedures to safeguard patient privacy.
In a statement, MGH privacy officer Deborah Adair said the hospital will issue new or revised policies and procedures with respect to physical removal and transport of PHI from hospital premises, laptop encryption, and USB drive encryption.
“After these policies and procedures are issued, we will be providing mandatory training on them,” and all members of the workforce will have to complete that training, she said.
Georgina Verdugo, director of OCR, said “We hope the healthcare industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information.”
According to an HHS statement, the incident involved PHI for 192 patients treated by the hospital’s Infectious Disease Associates outpatient practice, and included patients with HIV/AIDS. An investigation ensued after a patient whose records were lost on March 9 filed a complaint. Billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis, and names of providers for 66 of those patients.
The documents were lost when a Mass General employee, while commuting to work, left the documents on the subway. The records have not been recovered.
That investigation “indicated that Mass General failed to implement reasonable, appropriate safeguards to protect the privacy of protected health information when removed from Mass General’s premises and impermissibly disclosed protected health information potentially violating provisions of the HIPAA Privacy Rule,” the HHS statement said.
The correction plan also directs the hospital’s Director of Internal Audit Services of Partners HealthCare System Inc. to serve as an internal monitor that will conduct assessments of Mass General’s compliance with the corrective action plan and render semi-annual reports to HHS for a 3-year period.”
We have a nurse who has twice mailed test results to the wrong patient. Both times the nurse failed to follow established policy to verify that the test results were mailed to the correct patient. The nurse feared that the patients would contact the practice; therefore the nurse thought it best to report the incidents herself. Would issuing a written warning to the nurse for failure to follow policy be considered retaliation, since the nurse did report the incidents?
Your HIPAA training content should include privacy and security, but you should also train your workforce on other information resources that need protection, says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.
All confidential information needs protecting, including payroll and human resources information that may include names and Social Security numbers, confidential business strategies, and legal matters.
Provide staff members with examples of PHI and identify other information you want to keep confidential. Describe threats to privacy and security, including both internal and external threats. Make staff aware of threats from actions such as phishing, scams, and identity theft.
Train staff on what to do if they see someone suspicious in your facility without an ID badge. Encourage them to ask the person, without being rude, if he or she needs help or directions. If the person declines help, your staff should know where to report their suspicions.
This tip was adapted from the March 2011 issue of Strategies for Health Care Compliance. More information about Strategies for Health Care Compliance is available at the HCMarketplace.
The Office for Civil Rights (OCR), HIPAA privacy and security enforcer, has issued its first civil money penalty to a covered entity for violations of the HIPAA Privacy Rule, according to a press release posted today on the Department of Health & Human services (HHS) website.
The OCR fined Cignet Health, of Prince George’s County, MD, $4.3 million for the violations, which also marks the first time federal regulators have used the new monetary penalty structure under the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Cignet violated the rights of 41 patients when it denied them access to their medical records, which they requested between September 2008 and October 2009, according to HHS.
Further, Cignet did not respond to OCR’s demands to produce the records and did not cooperate with investigations.
When reached by phone Tuesday afternoon, a customer service representative from Cignet Health said Dr. Dan Austin, CEO, would handle requests from media. He was unavailable at the time, the representative said.
The health system has four locations in Southern Maryland.
The violations are considered “willful neglect”, and fall under the most egregious penalty scale under HITECH, according to Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, in Des Moines, IA.
The penalty amount demonstrates the significance of “willful neglect” violations by entities who are “not actively trying to get into compliance and stay in compliance,” Herold says. Further, it shows the importance of having policies and procedures in place to follow during an OCR investigation.
“This should also serve as an example and provide good motivation for all covered entities and business associates to get into compliance, and maintain compliance, with HIPAA and HITECH,” Herold says. “[Privacy and security officers] need to show this news report to their CEOs and CFOs to prove that penalties not only can occur, but that they have now started, and with quite a big, financially painful bang.”
The patients who requested the medical records individually filed complaints with OCR, initiating the government’s investigations. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of his or her medical records within 30 days of the patient’s request, with one possible 30-day extension. Those violations cost Cignet Health $1.3 million. Failing to cooperate with the government investigation accounted for the other $3 million in fines. The penalties are based on amounts authorized by Section 13410(d) of HITECH.
Herold says she expects more patients and patients’ rights groups to submit complaints to OCR in hopes of the same result.
“Due to their apparent lack of compliance, as well as demonstrable arrogance with regard to dealing with the OCR investigators, Cignet now has the dubious honor of being the poster child for HIPAA/HITECH willful neglect,” Herold adds.
This isn’t the first HIPAA violation involving large fines. CVS Caremark Corp. reached a settlement of $2.25 million for potential HIPAA violations in February 2009, and Rite Aid Corporation in the same investigation settled for $1 million a year and a half later. In addition, Health Net, Inc. agreed to pay $250,000 to the state of Connecticut for HIPAA violations in 2010.
Jeff Drummond, health law partner in the Dallas office of Jackson Walker LLP, notes that OCR hasn’t handed out any “true fines,” rather just settlements, until now.
“It’s hard to know exactly what was going on at Cignet, but failing to cooperate with an OCR investigation, much less failing to directly address customer complaints that raise HIPAA issues, is just plain stupid,” Drummond says. “For some time now, many of us who follow HIPAA have been waiting for OCR to find a particularly egregious case and deliver a significant fine, so that some in the healthcare industry who have gotten lackadaisical about HIPAA compliance will sit up and take notice. This may just be the case.”