The health care industry’s toothless tiger finally bared its teeth, as the U.S. Department of Health and Human Services issued a $4.3 m fine to a Maryland health care provider for violations of the HIPAA Privacy Rule. The action is the first monetary fine issued since the Act was passed in 1996.
The U.S. Department of Health and Human Services (HHS) issued a Notice of Final Determination to Cignet Health care of Temple Hills, Maryland on February 4. The notice followed a finding by HHS’s Office of Civil Rights that Cignet failed to provide 41 patients with copies of their medical records and for failing to respond to requests from HHS’s Office of Civil Rights for information related to the complaints.
A copy of a penalty notice against Cignet depicts a two year effort in which HHS struggled with what appears to be a dysfunctional Maryland provider unaware of the potential impact of HIPAA non compliance, and unwilling or unable to cooperate with HHS in any way.
Following patient complaints, repeated efforts by HHS to inquire about the missing health records were ignored by Cignet, as was a subpoena granted to HHS’s Office of Civil Rights ordering Cignet to produce the records or defend itself in any way. When the health care provider was ordered by a court to respond to the requests, it disgorged not just the patient records in question, but 59 boxes of original medical records to the U.S. Department of Justice, which included the records of 11 individuals listed in the Office of Civil Rights Subpoena, 30 other individuals who had complained about not receiving their medical records from Cignet, as well as records for 4,500 other individuals whose information was not requested by OCR.
In the end, HHS’s Office of Civil Rights found that Cignet showed “willful neglect of its obligation to comply with the requirement of the Privacy Rule and, in essence, threw the book at the Maryland provider.
HIPAA has been a force in the health care industry for more than a decade: forcing health care providers of all stripes to institute tighter controls over patient data. However, for years after its passage, HIPAA lacked strong language about enforcement and penalties for non compliance. That changed with the passage of the HITECH Act, part of the American Recovery and Reinvestment Act of 2009. That law strengthened privacy and information security provisions of HIPAA and expanded the list of entities covered by the law.
It is about time…I like the title of this article….
They should be suing their attorney for malpractice.
damages should be on a time based scale.
the LONGER it take a violator(s) to respond, repair, disclose, etc., the GREATER the penalty there should be
rob k
Fine and regulate people, businesses, and all to death! The quicker the system fails and falls… the quicker the restart. Are you prepared?
So, is the wrongdoing not giving patients their records, or giving the DoJ records not covered by the Subpoena. I’d say the latter is a more serious offense.
both woulod be in violation, I actually find it very funny that in the F You way they replied to the subpoena, i.e. dig through all this, they actually created a greater violation. way to go Cigna
To whoever is bitching about fines and regulations, what else is a patient supposed to do when a monopoly business (insurance companies are allowed to collude on prices) fails to provide even the most minimal of services?
I hope you enjoy your rebooted future where businesses are welcome to take your money and there is no government to force them to provide the services they’re obligated to.
Sorry, but in what sense is the fine you refer “the first monetary fine issued since the Act was passed in 1996.”
July 19, 2008: A Seattle-based health system has agreed to pay a $100,000 HIPAA fine to
HHS–as well as improve its medical data security–after failing to
properly secure data backup tapes, disks and laptops. This marks the
first time HHS has agreed to a Resolution Agreement. During 2005 and
2006, medical data was stolen from Providence Health & Services
several times, with backup tapes, optical disks and laptops being lost
or stolen repeatedly. All told, the unencrypted personal health
information of more than 386,000 patients was compromised.
Who gets the money?? Thats the real question…ill bet its the government.
I think this is the first time an organization’s been fined since the passage of the HITECH act.
The purpose of the law is to keep electronic health information as secure as your electronic banking . Violators deserve the fines and consumers deserve the protection. Refusing to provide a patient with access to their own medical records is pathetic and inept.
I think the real issue here was their attitude and response. It appears they were given plenty of chances to resolve the issue. It’s things like this though that will lead to the regulators being less patient and more aggressive
The bottom line is that companies are allowing our records to fall into the wrong hands even though there is technology that will prevent it. They simply don’t want to spend the money on fully encrypting their stored records and communications. Many aren’t even encrypting stored data, but the real vulnerability few are addressing is in transmitted data.
Perhaps this will be a wakeup call for companies to start implementing encryption for all data storage and communications – as they should have been doing in the first place.
the question should be how do you secure something when there are those out there that can break it the encryption is like a fence it only keeps the honest people out put tracker software in and find the people doing it and arrest them send a message to the people using the info for illegal puposes
They should use some encrypting software to protect data.
There are a lot of available software and they are reliable and easy to use like TrueCrypt, McAfee, etc…
As someone who works in a health care field, I think it’s kind of unfair to assume all healthcare providers or organizations are as bad as this. While I can’t mention which company I work for, I do know we have exceeded the requirements for HIPAA for as long as I can remember. The gross mishandling of data by this particular provider did indeed warrant the fines levied.
As far as encrypting information goes, I totally agree that bare naked information shoud never be transmitted or transported. That’s just asking for trouble.
“The action is the first monetary fine issued since the Act was passed in 1996.”
Not true. In 2008, Providence Health & Services of Seattle was fined $100,000 for negligence resulting in the theft of electronic media containing sensitive information. In 2009, CVS was fined $2.25 million for improperly disposing PHI in public dumpsters, and in 2010 Rite Aid was fined $1 million for similar violations. Also, in 2010, Management Services Organization Washington was fined $35,000 for using PHI for marketing purposes. Please get your facts straight.
Rob: It is based on a time scale.
If you read the report you’ll see that for every day they failed to cooperate in giving the patients their records they were fined $100 per record per day.
For failing to cooperate with the investigation they were fined $50,000 per patient per day (the latter is capped at $1.5M per year so they actually got off easy).
Not Cigna, Cignet.
CIGNET not Cigna.
There is a difference.
This isn’t all about an insurance company being the problem. This is about the PROVIDER being the problem… which is one of the reasons managed care came into existence in the first place.
To whoever is bitching about fines and regulations, what else is a patient supposed to do when a monopoly business (insurance companies are allowed to collude on prices) fails to provide even the most minimal of services?
I hope you enjoy your rebooted future where businesses are welcome to take your money and there is no government to force them to provide the services they’re obligated to.—–
——————————————————————————————————————–
I hope you read this. This is CIGNET HEALTHCARE.
It is NOT CIGNA Insurance.
BIG difference. Insurance companies have been fined and fined. It is about time that providers have to start doing the right thing too. It was supposed to be HEALTHCARE Reform. Media and publicity-hungry people keep calling it HEALTH INSURANCE Reform.
not Cigna the insurance company… Cignet.. pay attn to the name of the medical PRACTICE in the article..
it is Cignet, not CIGNA