HIPAA fine is a first

Cignet ac­cused of deny­ing pa­tients ac­cess to records

Modern Healthcare - - The Week In Healthcare - Jessica Zig­mond

Like a par­ent to a dis­obe­di­ent child, HHS last week de­liv­ered a harsher pun­ish­ment to Cignet Health for fail­ing to co­op­er­ate than for ac­tu­ally break­ing the rules. For the first time, HHS is­sued a penalty for vi­o­lat­ing the Health In­surance Porta­bil­ity and Accountability Act’s pri­vacy rule. The vi­o­la­tor was Cignet Health, a Tem­ple Hills, Md.-based com­pany with a health plan and four physi­cian of­fices, which HHS said vi­o­lated 41 pa­tients’ rights by deny­ing them ac­cess to their med­i­cal records. Cignet Health did not re­spond to re­quests for com­ment.

Sep­a­rately last week, HHS an­nounced that Mas­sachusetts Gen­eral Hos­pi­tal agreed to pay the fed­eral gov­ern­ment $1 mil­lion to set­tle po­ten­tial HIPAA vi­o­la­tions. At is­sue was the loss of pro­tected health in­for­ma­tion, or PHI, of 192 pa­tients of the Bos­ton-based provider’s In­fec­tious Disease As­so­ciates out­pa­tient prac­tice.

Ac­cord­ing to HHS, in March 2009, a Mas­sachusetts Gen­eral em­ployee left doc­u­ments on a sub­way train in­clud­ing a pa­tient sched­ule with names and med­i­cal record num­bers for 192 pa­tients, as well as billing en­counter forms with the name, date of birth, med­i­cal record num­ber, health in­surer and pol­icy num­ber, diagnosis, and name of providers for 66 of those pa­tients. The doc­u­ments were never re­cov­ered.

HIPAA’s pri­vacy rule went into ef­fect in 2003, re­quir­ing that health plans and providers take cer­tain mea­sures to pro­tect the pa­tient in­for­ma­tion they han­dle. Pro­vi­sions of the Amer­i­can Re­cov­ery and Rein­vest­ment Act ex­tended the obli­ga­tion to busi­ness as­so­ciates of those cov­ered en­ti­ties.

As with the Mas­sachusetts Gen­eral res­o­lu­tion, the only pre­vi­ous pay­ments ex­tracted from en­force­ment ac­tions un­der the rule were in the guise of res­o­lu­tion agree­ments with re­tail phar­macy chains CVS and Rite Aid, and the Ore­gon divi­sion of Prov­i­dence Health & Ser­vices, a Seat­tle-based sys­tem.

Mas­sachusetts Gen­eral, which agreed to a cor­rec­tive ac­tion plan, said in a state­ment that the hos­pi­tal will is­sue new or re­vised poli­cies with re­spect to physi­cian re­moval and trans­port of pro­tected health in­for­ma­tion from the hos­pi­tal’s premises, lap­top en­cryp­tion and USB drive en­cryp­tion. It will also pro­vide manda­tory train­ing for all mem­bers of its work­force on the new poli­cies.

But in the case of Cignet, the pay­ment to the fed­eral gov­ern­ment will come in form of a fine, which HHS broke down to $1.3 mil­lion for vi­o­la­tion of the HIPAA rule that re­quires a cov­ered en­tity to pro­vide pa­tients with their med­i­cal records within 30 (and no later than 60) days; and $3 mil­lion for fail­ing to co­op­er­ate with HHS’ Of­fice for Civil Rights in its in­ves­ti­ga­tions on a con­tin­u­ing daily ba­sis from March 17, 2009, to April 7, 2010.

“I don’t know of a sit­u­a­tion where par­ties haven’t co­op­er­ated,” said Stephen Bern­stein, a lawyer who leads the health in­dus­try prac­tice group at McDer­mott, Will & Emery in Bos­ton. “And my guess is that’s what up­set OCR,” he added.

HHS said Cignet de­nied 41 pa­tients ac­cess to their med­i­cal records re­quested be­tween Septem­ber 2008 and Oc­to­ber 2009 and then re­fused to re­spond to in­ves­ti­ga­tors’ de­mands to pro­duce the records. The gov­ern­ment filed a pe­ti­tion in U.S. District Court to en­force a sub­poena and ob­tained a de­fault judg­ment against the com­pany. “On April 7, 2010, Cignet pro­duced the med­i­cal records, but other­wise made no ef­forts to re­solve the com­plaints through in­for­mal means,” HHS said in a news re­lease.

Tr­isha Tor­rey, who main­tains in­for­ma­tion for the web­site of Ad­voCon­nec­tion, a group that pro­vides pa­tient-ad­vo­cacy re­sources, said she was sur­prised HHS put some “teeth” into its en­force­ment, given that the rule has ex­isted for years.

Bern­stein said health­care or­ga­ni­za­tions should have poli­cies and pro­ce­dures in place to com­ply with the pri­vacy rule, as well as state pri­vacy laws, “So when OCR calls, you’re in a po­si­tion to have a con­ver­sa­tion that is co­op­er­a­tive, open and up­front.” He added later, “What’s cu­ri­ous to me is what would have hap­pened if Cignet had co­op­er­ated.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.