HHS is sending a very clear message with one of its latest penalties--if you're caught with a violation of HIPAA privacy or security laws, you're going to be fined ... a lot. It recently levied a hefty penalty of $4.3 million on a healthcare provider in Maryland. That's a penalty that should make all healthcare organizations, including health plans, stand up and take notice of the somewhat forgotten HIPAA law.
HHS also made it clear that if, after the agency determines a violation has occurred and you don't cooperate with their demands, you're going to be fined even more. A large chunk of the fine--$3 million--was for willful neglect. In fact, just a few days after issuing the $4 million penalty on Cignet Health, HHS imposed a $1 million fine on Massachusetts General Hospital because it failed to maintain control of 192 patients' health information. This penalty wasn't as severe because, according to HHS, Mass General cooperated with its investigation and agreed to take corrective actions to remedy the problem.
Cignet Health failed to provide medical records to 41 patients and then failed to cooperate with a subsequent government investigation. As FierceHealthcare editor Sandra Yin writes, Cignet's experience is a cautionary tale. Besides violating the HIPAA privacy rule, it failed to respond to the HHS Office for Civil Rights' demands to produce the records. When OCR ratcheted up the pressure and issued a subpoena, Cignet still did not produce records. Only after OCR filed a petition to get a federal court to order Cignet to produce the records did the company stir. Eight days later, the DOJ received the records for the 41 patients--as well as records for about 4,500 other patients, whose information Cignet should not have disclosed since they weren't part of the probe.
Health plans are, of course, subject to the HIPAA privacy and security requirements and should take the recent penalty as a reminder to get their own house in order. Fortuitously, the folks at Deloitte just released a report reminding such companies of the exact same message.
Deloitte found the healthcare industry's current processes to ensure privacy and mitigate security risk is "woefully inadequate." In particular, "the potential for health plan privacy and security data breaches is substantial," Deloitte says in a new issue brief, Privacy and Security in Health Care: A fresh look.
For example, as insurers increase their usage of such social media platforms as Facebook and Twitter to reach out to members (and nonmembers), they must adhere to patient privacy standards throughout all conversations. Patient information exchanged via social media networks as well as mobile devices is subject to HIPAA regulations.
Many health plans, despite recent data breaches, fail to maintain an updated version of their notice of privacy practices disclosure and lack control over third parties' use of patient information they provide. Implementation of HIPAA 5010 in 2012 and ICD-10 in 2013 "assure added risk from expanded security challenges," Deloitte says.
To decrease these privacy and security risks, Deloitte recommends health plans make data protection and security priorities among their workforce. They should train internal staff, restrict user access and revise contracts with their business associates to enable secure data handling. Individual accountability and staff awareness of the repercussions of breaches can also help.
The potential for data breaches is significant and increasing. "Stakeholders must act now to prevent compromising sensitive patient data, preserve brand value, and avoid substantial financial penalties for violations." And we now know that if health plans fail to comply, HHS isn't afraid to come out of their corner swinging with both fists. - Dina