In the past year, the Office for Civil Rights, the federal office responsible for enforcing HIPAA privacy requirements, has finalized the rule by which all covered entities and their business associates are required to protect the personal and health information of patients they serve. The rule details the actions a breach of the privacy rule requires including notification of patients. In the past month, OCR has begun to publish significant fines to organizations who have been found responsible for a breach of that privacy rule.
Lots of folks have been waiting to see what kind of fines the OCR would impose upon organizations found responsible for breaches. We are beginning to find out.
On February 14, 2011, HHS entered into an agreement with Massachusetts General Hospital in which the hospital organization agreed to pay $1 million because of the loss of data of 192 patients of one of its outpatient practices. The information lost was on paper and was lost on a subway train. The hospital also agreed to enter into a Corrective Action Plan (CAP) including the implementation of policies and procedures to protect the PHI of its patients.
For those of you who thought these requirements do not affect you if you do not keep any patient information in an electronic form, it is clear that is not how OCR views it. Paper is also vulnerable and OCR is determined to protect that PHI.
The second announced fine was placed on Cignet Health of Prince George’s County Maryland. They were fined $4.3 million. They were accused of denying 42 patients access to their medical records, failed to cooperate with OCR in their investigation of the complaints, indeed failed to reply to OCR’s notifications. OCR determined that “the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule.”
For those of you who have thought that not keeping records of treatment might be the safest course of action, please think again. If you cannot provide the record when a patient requests it, they have every right to complain and to seek a judgement against you.
Of course, your organizations all have Privacy Policies. Do you know what they are? Do you follow the Procedures that your organization has developed? Does everyone? Part of the requirement is that employees be properly trained in what the policies and procedures are and that their training is regularly refreshed. Oh, and yes, part of the requirement is that the Privacy Officer makes sure the owners of the practice or the Executive Director or Board of Directors is well-informed about how the policies are implemented.
How is your organization doing with the stricter Privacy Rule requirements imposed by the HITECH Act? Please share your thoughts, fears and struggles with these requirements and how they affect your organization. Just enter your comments below.