Sophos Cloud Optix
The US Department of Health and Human Services (HHS) fined Massachusetts General Hospital $1 million today for losing the medical records of 192 patients, the second ever fine imposed on a healthcare organization for violating the Health Insurance Portability and Accountability Act (HIPAA),
HHS’s Office for Civil Rights (OCR) made the following statement in their press release:
"We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information.”
The records that were lost in this case were not electronic, but the law and penalties do not differentiate. However, if encrypted electronic records are lost, you are not required to notify HHS or patients of the incident. In other words, encrypt your data!
The first ever fine for HIPAA violations, imposed on Tuesday, was $4.3 million dollars against Cignet Health of Maryland. Cignet had failed to provide patients a copy of their medical records upon request.
The really disturbing part, though, was that, after Cignet attempted to ignore the government’s enforcement action, not only did they deliver the 41 patients’ records to the Department of Justice, they handed over 59 boxes of patient medical records, including records for 4500 people unrelated to the case.
From time to time, I have asked health care professionals what they are doing to comply with HIPAA. One doctor told me, “When they start putting doctors in jail, I’ll worry about encrypting my records.” Maybe these enforcement actions by HHS will change his mind.
Data Leakage Prevention tools and encryption can both play a part in being HIPAA and HITECH (Health Information Technology for Economic Clinical Health) compliant. For details on how Sophos can help, browse over to our HIPAA hot topic page.
If you work in the healthcare industry, stop by our booth at the Healthcare Information and Management Systems Society conference in Orlando March 21st to 23rd. You can find us at booth 5178 to learn more about how we can help you secure your patients information.
Creative Commons image of Mass General pin courtesy of nursing pins Flickr photostream.
One employee forgets paper records on the T, and the hospital is fined $1mil…wow. Hopefully this event will help other healthcare organizations realize the importance of protecting patient data. Great post.
This is a very serious violation. Anyone who violates this law can and will be thrown in jail. Anyone who works in the health care field should be aware of HIPPA and know what the consequences are for violating it. They mean business and a hospital gets fined $1 million. That should be enough to get everyone aware of what happens. Great post!!
A $1 million fine means nothing to MGH (or most large hospitals.) The Mass Gen research budget alone is $550 million. In 2009 their annual budget set aside over $29 million just for bad debts. For more info see the PDF annual report here:
http://www.massgeneral.org/about/overview.aspx
Hello there ! Use of a HIPAA compliant default mapping template allows EDI manager to spend little time to complete mapping for a carrier as most of the mapping are already taken care by default template.