The Department of Health and Human Services has levied a hefty fine of $4.3 million against Maryland health care provider Cignet Health for HIPAA violations.
This is a significant event for institutions that deal with information governed by regulations for storing and managing records. The article’s statement that this is the first enforcement of the HIPAA regulations is inaccurate, but it is the first enforcement since the more stringent HiTECH Act was passed. Previous enforcements involved regional hospitals and did not receive significant publicity.
So why did the Department of Health and Human Services strike now? HHS is being punitive with the fine and public notification because of what seems like willful disregard for protecting information. The HHS said Cignet refused to provide 41 patients with copies of their medical records and failed to respond to repeated requests from the HHS Office of Civil Rights.
But the fine also sends a clear message to other healthcare organizations to comply or face fines and — more importantly — public embarrassment.
As a quick review, the HIPAA (Health Insurance Portability and Accountability Act of 1996) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009 impose requirements on control of access, breach notification, and storage of information. Evaluator Group articles about the need to meet compliance requirements for HIPAA are at www.evaluatorgroup.com.
The fine against Cignet reminds me of a conversation I had with the CIO and other senior management of a regional hospital about 18 months ago. We spoke about the archiving requirements for Electronic Medical Records (EMR) and the different retention requirements based on that type of information.
After discussing the retention requirements and the need for using storage systems that met compliance requirements that would pass an audit, the CIO said the hospital was storing all of its data on standard disk systems. When asked about meeting compliance requirements, he said he was not concerned.
He explained that the public depended on this regional hospital. If it was audited due to some complaint or had a loss of data, the public could not do without it and would have to support it. He said his budget did not allow for taking the proper measures for storing data to comply with regulations.
That was an interesting discussion. He was admitting the hospital knowingly violated the regulations regarding the privacy of data but was unwilling to even consider doing something about it. Aside from being appalled, I thought the arrogance would cause an even greater impact when an incident occurred.
Maybe with some institutions a $4.3 million fine is not a major impact. But for most it would be. I would think it tough to put on a budget line item.
But the damage to the institution goes beyond the impact on its budget. The bad publicity can harm its reputation and affect its support over the long term. For the healthcare information professional, the peer group will be aware of failings. Not only will this cause the institution and its staff to be held with a low regard, it may have an effect on potential future employment opportunities.
The media, customers and the Department of Health and Human Services all have long memories. Any other type of incident will cause the lack of privacy protection to be brought up repeatedly. While a fine is a one-time event, the bad reputation may be permanent.