HHS getting stricter at business process failures causing HIPAA violations

by | Mar 18, 2011

U.S. Department of Health and Human Services made two announcements last month:
1. It had imposed a civil monetary penalty of $4.3 million on health insurer Cignet Health for violating the Health Insurance Portability and Accountability Act’s privacy provisions.
2. The Massachusetts General Hospital had agreed to pay HHS a total of $1 million to settle potential HIPAA privacy violations.

HHS said the fine was levied on Cignet for two reasons: It did not give 41 patients access to their medical records when they asked for it, and it did not subsequently cooperate with an investigation into the matter by HHS’s Office for Civil Rights (OCR). Cignet’s failure to comply with HIPAA Rules earned HHS a $1.3 million penalty. An additional $3 million penalty was assessed against Cignet for its failure to cooperate with OCR investigations and for its repeated refusal to produce records in response to HHS demands.

Massachusetts General Hospital came under the claws of HHS when in March 2009, it lost documents containing protected health information on 192 patients when an employee inadvertently left them on a subway train. In a statement, Massachusetts General Hospital said it will be issuing new or revised polices on issues such as the removal and transportation of material containing protected health data, laptop encryption and USB drive encryption. “After these policies and procedures are issued, we will be providing mandatory training on them. All members of our workforce must participate in the training and certify that they have completed it,” the hospital said in a statement.

Both of these penalties indicate that HHS is taking a hard look at business process failures that can result in privacy violations, said Peter MacKoul, president of consulting firm HIPAA Solutions LC.

ICD 10 : Offering strategic consulting services for all steps of ICD 10 implementation, Dell’s clinical consulting solutions can improve your company’s care delivery and clinical processes from the start of your ICD 10 implementation date to its finish.

3-Steps to HIPAA Compliance

Step 1 : Download Checklist.

Step 2 : Review Your Business

Step 3 : Get Compliant!

Our HIPAA compliance checklist will outline everything your organization needs to become fully HIPAA compliant. Fill in the form below to download it now.

View our privacy policy