HIPAA fines prove the value of data protection

Filed Under: Data loss, Law & order, Privacy

Massachusetts General pin courtesy of nursing pins Flickr photostreamThe US Department of Health and Human Services (HHS) fined Massachusetts General Hospital $1 million today for losing the medical records of 192 patients, the second ever fine imposed on a healthcare organization for violating the Health Insurance Portability and Accountability Act (HIPAA),

HHS's Office for Civil Rights (OCR) made the following statement in their press release:

"We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information.”

The records that were lost in this case were not electronic, but the law and penalties do not differentiate. However, if encrypted electronic records are lost, you are not required to notify HHS or patients of the incident. In other words, encrypt your data!

The first ever fine for HIPAA violations, imposed on Tuesday, was $4.3 million dollars against Cignet Health of Maryland. Cignet had failed to provide patients a copy of their medical records upon request.

The really disturbing part, though, was that, after Cignet attempted to ignore the government's enforcement action, not only did they deliver the 41 patients' records to the Department of Justice, they handed over 59 boxes of patient medical records, including records for 4500 people unrelated to the case.

HHS document on Cignet fine

From time to time, I have asked health care professionals what they are doing to comply with HIPAA. One doctor told me, "When they start putting doctors in jail, I'll worry about encrypting my records." Maybe these enforcement actions by HHS will change his mind.

Data Leakage Prevention tools and encryption can both play a part in being HIPAA and HITECH (Health Information Technology for Economic Clinical Health) compliant. For details on how Sophos can help, browse over to our HIPAA hot topic page.

If you work in the healthcare industry, stop by our booth at the Healthcare Information and Management Systems Society conference in Orlando March 21st to 23rd. You can find us at booth 5178 to learn more about how we can help you secure your patients information.

Creative Commons image of Mass General pin courtesy of nursing pins Flickr photostream.

, , , ,

You might like

4 Responses to HIPAA fines prove the value of data protection

  1. Mariah Russell · 1651 days ago

    One employee forgets paper records on the T, and the hospital is fined $1mil...wow. Hopefully this event will help other healthcare organizations realize the importance of protecting patient data. Great post.

    • Jon Fukumoto · 1647 days ago

      This is a very serious violation. Anyone who violates this law can and will be thrown in jail. Anyone who works in the health care field should be aware of HIPPA and know what the consequences are for violating it. They mean business and a hospital gets fined $1 million. That should be enough to get everyone aware of what happens. Great post!!

  2. Ben · 1644 days ago

    A $1 million fine means nothing to MGH (or most large hospitals.) The Mass Gen research budget alone is $550 million. In 2009 their annual budget set aside over $29 million just for bad debts. For more info see the PDF annual report here:

  3. Benefits Park · 784 days ago

    Hello there ! Use of a HIPAA compliant default mapping template allows EDI manager to spend little time to complete mapping for a carrier as most of the mapping are already taken care by default template.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.