Cignet Proves That It Is Bad To Violate The HIPPA Privacy Rule, But Worse To Ignore HHS

Posted on February 28, 2011 by Proskauer Rose LLP

Cignet Health (Cignet), which operates four health centers in Maryland, is a little lighter in the wallet after the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) found that Cignet violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) - $4.3 million lighter, to be exact.

This penalty marks the first civil money penalty imposed by HHS for violations by a “covered entity” of the HIPAA Privacy Rule. In the past, HHS has primarily worked with covered entities to settle the violations and obtain agreement to changes in practices. The civil monetary penalty imposed upon Cignet is based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which modified HIPAA.

HHS news release, part of the penalty stems from Cignet’s denying 41 patients their right to access their medical records when requested between September 2008 and October 2009. Under HIPAA, a covered entity must provide access to a patient who requests such access to his or her medical record within 30 days of the request, subject to various exceptions and limited rights to extend such time period. (Numerous state laws include similar obligations that health care providers provide a patient with access to his or her own records, often within shorter time frames than is required by HIPAA.) Thirty-eight separate complaints of such denial of access had been filed with OCR, pursuant to which OCR began its investigation of Cignet. HHS has indicated that $1.3 million of the $4.3 million penalty is attributable to this denial of access to a patient’s records.  

Notably, out of the over 50,000 complaints of alleged HIPAA Privacy Rule violations that OCR has resolved, the denial of a patient’s access to his or her own records has been the third most cited reason for such a complaint every year since 2003, when compliance with the Privacy Rule was first legally required. But every other such complaint of denial of access was informally resolved with OCR. According to various news reports, Cignet never attempted to informally resolve the complaints with OCR.

In Cignet’s case, $3 million of the penalty is attributable to OCR finding that Cignet repeatedly failed to respond to various requests from OCR for more than a year (March 17, 2009 to April 4, 2010), resulting in per-day penalties, up to the maximum permissible penalties per year pursuant to applicable enforcement rules. Under HIPAA, covered entities are required to cooperate with HHS investigations. Even after Cignet finally produced the applicable patient records to HHS (in response to a federal court order), Cignet’s cooperation was limited in that it produced records relating to thousands of patients in addition to the 41 at issue. In various communications from OCR during the course of the investigation and the initial proposal of penalties, Cignet was notified of its rights to offer defenses and mitigating factors, and subsequently, of its rights of appeal. Cignet never exercised any of its rights.

The lesson to be learned from Cignet is that if you violate the HIPAA Privacy Rule, be prepared to pay, but if you fail to cooperate with OCR investigations into such violations, be prepared to pay even more (potentially 200% more). The question remains as to whether or not the extent of this fine is a true example of a new approach to enforcement of HIPAA, or whether Cignet’s ignoring official inquiries, failing to pursue informal resolution and not exercising its rights under HIPAA warranted unusual measures.
Tags: , , , , , , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Red Flag Rules Compliance Deadline Extension Not Grounds to Procrastinate

Posted on May 8, 2009 by Proskauer Rose LLP

I spoke with Health Leaders Media about the Red Flag Rules and the FTC's further extension of the compliance deadline, previously discussed here.  The title of the article says it all:  "Don't Delay Because of Red Flags Rule Delay."

Tags: , , , , , ,

HHS Enters Into First Monetary Settlement Under HIPAA

Posted on August 29, 2008 by Proskauer Rose LLP

On July 15, 2008, the U.S. Department of Health & Human Services (“HHS”) entered into its first Resolution Agreement with a HIPAA-covered entity to settle alleged violations of the privacy and security regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Pursuant to the Resolution Agreement, a Seattle-based not-for-profit health system, Providence Health & Services and certain of its divisions (“Providence”), paid $100,000 to HHS and entered into a Corrective Action Plan with the government. HHS advised that Providence’s cooperation in the investigation helped it avoid a “civil monetary penalty.” Providence has been released from further civil fines to HHS arising out of the particular activities at issue in this matter, provided that Providence complies with the terms of the three-year Corrective Action Plan. The Resolution Agreement did not release Providence from any potential criminal liability.

Prior to this Resolution Agreement, HHS had not imposed any fines on any HIPAA-covered entities. In the more than five years that have passed since the compliance deadline for the HIPAA privacy regulations, HHS has received close to 40,000 complaints of violations, the majority of which were not eligible for enforcement. Of those where a violation was identified, HHS had previously resolved such cases by requiring changes in privacy practices and other corrective actions without entering into any formal settlement agreements or imposing any fines.

 The circumstances underlying the Resolution Agreement were at least five incidents in 2005 and 2006 in which unencrypted electronic protected health information (“ePHI”) of Providence patients was stored on backup tapes, optical disks and laptops that were taken off-site from Providence by members of its workforce, and then misplaced or stolen, potentially compromising the health information of over 386,000 patients. Providence, in accordance with state notification laws, advised patients of the loss of their information. More than 30 of those patients subsequently complained to HHS, although there is no evidence that any of their personal information was wrongfully used as a result of these incidents. The HHS Office of Civil Rights, responsible for enforcing the privacy regulations under HIPAA, and the HHS Centers for Medicare & Medicaid Services, responsible for enforcing the security regulations under HIPAA, jointly investigated these complaints, focusing on Providence's failure to implement policies and procedures to safeguard the ePHI.

Pursuant to the Corrective Action Plan, for the next three years Providence must:

 

▪           Provide copies to HHS, for its review and approval, of policies and procedures that address physical and technical safeguards for off-site storage and transport of electronic media containing ePHI;

▪           Following HHS approval of these security policies and procedures, provide to HHS evidence that Providence has implemented such policies and procedures, and distributed them to all applicable members of its workforce;

▪           Require a signed certification from each workforce member that such person has read, understood and will follow such policies and procedures;

▪           Annually assess such policies and procedures, and revise as appropriate;

▪           Train all workforce, including obtaining a signed certification of training from each workforce member before s/he may transport a portable device containing ePHI, or conduct off-site storage or transport of backup media containing ePHI;

▪           Notify HHS if it discovers that a workforce member violated any of these procedures;

▪           Conduct quarterly “Monitor Reviews,” including unannounced site visits, interviews of employees and inspection of portable devices to ensure compliance with these policies, and provide records of such monitoring to HHS; and

▪           Submit annual reports to HHS that show its compliance with this Plan.

When considered individually, none of the reported security incidents experienced by Providence in 2005 and 2006 was extraordinary. Virtually every day the media includes reports of laptop losses or thefts. Further, the HIPAA privacy and security regulations do not explicitly prohibit off-site access or transport of ePHI, and do not require encryption of ePHI in all circumstances. While security practices are still evolving, at the time of these incidents, it was not uncommon for health care organizations to maintain unencrypted ePHI in storage media, or to permit employees to remotely access ePHI.

When considered collectively, however, the occurrence at Providence of five similar security incidents over a six month period is more noteworthy and relevant for other health care organizations. Further, the types of remedial measures included in the Corrective Action Plan provide evidence of HHS’ focus in this area, and serves as additional guidance for HIPAA-covered entities. As a starting point, a covered entity should review its current privacy and security policies and procedures to determine if they remain relevant, consistent with the experience of the organization, and current with technological advances. Annual reviews should follow. If a HIPAA-covered entity instituted security policies and procedures in 2003 or 2004, those may no longer be reasonable in 2008, and may no longer be consistent with security procedures at other similar organizations. In addition to keeping abreast of industry standards, companies should follow applicable guidance from HHS. In connection with the particular incidents at Providence, in late 2006, HHS issued guidance on the use of portable media, and offsite access and transport of ePHI.

Any time privacy and security policies and procedures are updated, copies of such revised policies and procedures should be distributed to all applicable employees, and such employees should be retrained in the revised procedures. Next, in the event of a privacy breach or other security incident, a covered entity should immediately investigate the cause of the incident, review its then current policies and procedures to determine what additional measures should be taken to avoid future similar incidents, promptly institute any necessary revisions to policies and procedures, and distribute revised policies and retrain employees as applicable. Periodic monitoring of compliance with existing privacy and security policies and procedures is also advisable. Finally, all privacy and security policies and procedures, and training in such policies and procedures should be actively documented.

In light of the Providence settlement, as well as HHS’ announcement earlier this year that it intends to conduct security audits of HIPAA-covered entities, it appears that we are now moving into an era where HHS is taking a more active role in HIPAA enforcement, particularly with respect to security of electronic health information. 
Tags: , , , ,

Prying Eyes Make Headlines

Posted on August 18, 2008 by Proskauer Rose LLP

 

Proskauer on Privacy will never be confused with TMZ, but we would be remiss if we failed to report on the high profile privacy scandal unfolding in the backyard of our Los Angeles office. As we previously reported, California’s data breach notification law was amended effective January 1, 2008, to include breaches of medical and health insurance information. A number of recent incidents illustrate once again that it is not enough to have written policies and procedures in place for the handling of sensitive information – employee training is essential. 

 

The Los Angeles Times recently reported that over 120 employees viewed the medical records and personal information of approximately 900 celebrity patients at UCLA Medical Center between April 2003 and May 2007. According to the latest report, the unauthorized snooping continued even after the facility cracked down on peeking employees in April.

 

One employee, former administrative specialist Lawanda Jackson, has been indicted for obtaining individually identifiable health information for commercial advantage. Jackson allegedly sold information about Farrah Fawcett’s battle with cancer to a national media outlet.

 

According to an incident report by the California Department of Health Services, an unnamed celebrity patient informed the facility as early as 2004 that confidential information about his or her hospitalization had been published in a national newspaper.

 

The Los Angeles incident is not the only hospital snooping scandal currently making headlines. In Michigan, employees at Sparrow Hospital were disciplined for peeking at the medical records of Governor Jennifer Granholm when she was admitted in April 2008 for surgery. The hospital did not release any additional information about the incident, citing federal privacy law.

 

Companies that want to stay off the front page must ensure that personnel receive and are regularly trained regarding company policies and procedures governing the protection of personally identifiable information, and must consistently enforce those policies and procedures.

 

 
Tags: , , , , , , ,