It is no secret that the changes to the HITECH Act have made tracking and reporting possible breaches of protected health information (PHI) an important function of operations at hospitals and medical practices around the country. Knowing what constitutes a violation and how to avoid breaches when handling patient health information are critical components to running a successful practice today, because even one violation can be financially devastating.
Prior to a couple of weeks ago, there had not been any financial or civil penalties associated with the HITECH changes to HIPAA. However, the Obama administration is toughening its enforcement of medical privacy laws. As a result, there have been two news-shattering stories in the past few weeks that are bringing to light the grave consequences associated with HIPAA violations.
Cignet Health Fines $4.3M for HIPAA Violation
In the first ever civil money penalty handed down for violation of HIPAA privacy rules, the U.S. Department of Health and Human Services (HHS) is fining Maryland-based health insurer, Cignet Health, a whopping $4.3 million. According to HHS Office for Civil Rights (OCR), Cignet was fined $1.3 million for denying 41 patients access to their medical records between September 2008 and October 2009. Cignet was then fined an additional $3 million for failing to cooperate with the OCR investigation. According to the Associated Press, Cignet “refused to comply with the OCR subpoena to produce the records” until it received a federal court order.
Massachusetts Hospital to Pay $1M to Settle Alleged Patient Privacy Violations
Two years ago, a Massachusetts General Hospital (MGH) employee lost patient records on a subway car of the T’s Red Line while commuting to work. Unfortunately, the records have never been recovered. An investigation was started by the HHS Office for Civil Rights (OCR), after receiving a complaint from a patient whose protected health information was lost on March 9, 2009. According to OCR, the lost documents included a patient schedule that contained the names and medical record numbers for a group of 192 patients, as well as billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis, and name of providers for 66 patients.
According to OCR the hospital announced it agreed to pay the federal government $1 million to settle potential violations of patient privacy laws. As a part of the settlement MGH is also required to remit “semi-annual compliance reports” to HHS for the next three years. MGH has also agreed to develop a comprehensive new privacy policy to prevent patient information from being compromised in the future, and to provide training to workers.
ScanSTAT understands that ensuring compliance with the HITECH changes to HIPAA in order to avoid penalties like the ones above has become a burden on many practices. ScanSTAT can help take the threat of heavy fines off our customers by transferring the liability burden to us. Our medical record fulfillment service is operated by experts who are held to the highest standards, which means not only are your records secure during the process, but the job is being done RIGHT! What’s more, we handle records requests within 24 hours and usually at NO COST to the provider. To learn more about ScanSTAT’s Release of Information services, contact us today.