Two separate enforcement actions taken this week by the U.S. Department of Health and Human Services (HHS) for HIPAA privacy violations should serve as a warning to all health care entities, say privacy analysts.
The agency announced on Thursday that it had imposed a civil monetary penalty of $4.3 million on health insurer Cignet Health for violating the Health Insurance Portability and Accountability Act's privacy provisions.
It's the first time ever since HIPAA became law that such a fine has been imposed on a healthcare entity over a privacy violation.
The HHS said the fine was levied on Cignet for two reasons: For not providing 41 patient's access to their medical records when they asked for it; and for not later cooperating with an investigation into the matter by the HHS's Office for Civil Rights (OCR).
HIPAA's privacy rules require covered entities to provide patients with a copy of their medical records no later than 60 days after it was first requested, the HHS noted.
Cignet's failure to do so earned it a $1.3 million penalty under HIPAA rules. An additional $3 million was assessed against Cignet for its failure to cooperate with OCR investigations and for its repeated refusal to produce records in response to HHS demands.
The other enforcement action this week involved Massachusetts General Hospital , which agreed to pay HHS a total of $1 million to settle potential HIPAA privacy rule violations.
The settlement stems from a March 2009 incident in which documents containing protected health information of 192 patients was inadvertently left behind on a subway train by an employee, and never recovered.
The actions could be a sign that the HHS is finally getting serious about enforcing HIPAA's privacy requirements more stringently, said Deborah Peel, founder and chairwoman of the Patient Privacy Rights Foundation.
These actions are among "the most significant things that the administration has done for patient privacy," Peel said.
Both HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act that was passed as part of the 2009 stimulus package, contain various provisions for protecting the privacy and security of patient data.
"But nobody has been paying attention to them. It's like mass civil disobedience by industry," Peel said. "So this is incredibly welcome for patients."
This week's enforcement actions show that the HHS is getting serious about business process failures that can result in privacy violations, said Peter MacKoul, president of consulting firm HIPAA Solutions LC.
Both of this week's actions stemmed from business process issues and not technology failures, MacKoul said. Weak business processes, such as a failure to ensure that data on laptops are encrypted, or a failure to protect against the use of USB thumb drives, or the improper storage of hard copies, often result in privacy breaches, he said.
"That is the kind of violation that happens a lot," he said.
Covered entities need to be paying attention to such issues but often do not, MacKoul said. "It is interesting that the HHS is using the privacy rule," to go after such violations, he said.
Importantly, the fine against Cignet also shows that the HHS is prepared to come down hard on health care companies that show willful neglect in protecting patient data, he said.
"To me it is very significant that they are willing to apply willful neglect [against Cignet] to the tune of $3 million," MacKoul said. "It's one thing when they write it into law. It's a totally different story when they actually enforce it."
"Covered entities should take note," he said.
This week's HIPAA enforcement actions follows news this week of the number of people whose health care data was lost or stolen continuing to soar.
A report released earlier this week by the accounting firm Kaufman, Rossin & Co. showed that in the first year since the HITECH Act was passed, about 5 million people had their personal health information compromised, either as a result of theft or because the data was lost.
A total of 166 data breach incidents (each involving more than 500 individuals) was reported to the HHS as of Sept. 10, 2010. The largest incident involved a lost laptop containing unencrypted protected health information on 1,222.000 individuals, the report said.
Mass. General Hospital did not immediately respond to a request for comment. Cignet could not be reached immediately.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org .
Read more about privacy in Computerworld's Privacy Topic Center.