HIPAA fines prove the value of data protection


Massachusetts General pin courtesy of nursing pins Flickr photostreamThe US Department of Health and Human Services (HHS) fined Massachusetts General Hospital $1 million today for losing the medical records of 192 patients, the second ever fine imposed on a healthcare organization for violating the Health Insurance Portability and Accountability Act (HIPAA),

HHS’s Office for Civil Rights (OCR) made the following statement in their press release:

"We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information.”

The records that were lost in this case were not electronic, but the law and penalties do not differentiate. However, if encrypted electronic records are lost, you are not required to notify HHS or patients of the incident. In other words, encrypt your data!

The first ever fine for HIPAA violations, imposed on Tuesday, was $4.3 million dollars against Cignet Health of Maryland. Cignet had failed to provide patients a copy of their medical records upon request.

The really disturbing part, though, was that, after Cignet attempted to ignore the government’s enforcement action, not only did they deliver the 41 patients’ records to the Department of Justice, they handed over 59 boxes of patient medical records, including records for 4500 people unrelated to the case.

HHS document on Cignet fine

From time to time, I have asked health care professionals what they are doing to comply with HIPAA. One doctor told me, “When they start putting doctors in jail, I’ll worry about encrypting my records.” Maybe these enforcement actions by HHS will change his mind.

Data Leakage Prevention tools and encryption can both play a part in being HIPAA and HITECH (Health Information Technology for Economic Clinical Health) compliant. For details on how Sophos can help, browse over to our HIPAA hot topic page.

If you work in the healthcare industry, stop by our booth at the Healthcare Information and Management Systems Society conference in Orlando March 21st to 23rd. You can find us at booth 5178 to learn more about how we can help you secure your patients information.

Creative Commons image of Mass General pin courtesy of nursing pins Flickr photostream.