Slashdot Mirror
First Ever HIPAA Fine Is $4.3M
Trailrunner7 writes "The health care industry's toothless tiger finally bared its teeth, as the US Department of Health and Human Services issued a $4.3M fine to a Maryland health care provider for violations of the HIPAA Privacy Rule. The action is the first monetary fine issued since the Act was passed in 1996. The US Department of Health and Human Services (HHS) issued a Notice of Final Determination to Cignet Health care of Temple Hills, Maryland on February 4. The notice followed a finding by HHS's Office of Civil Rights that Cignet failed to provide 41 patients with copies of their medical records and for failing to respond to requests from HHS's Office of Civil Rights for information related to the complaints."
Next thing you know, the feds be enforcing FERPA.
I'm surprised that the first fine is due to the portability aspect of the law, not the security portions of the law. Of course, either is a win for consumers!
I'm a med student who has worked in several hospitals, and have yet to see one where HIPAA is rigorously followed. Directives by management are common, but when HIPAA impedes patient care (it's a hassle and timekiller to comply completely), it is always worked around. Doctors by and large, in my experience, toss HIPAA aside the first time they have to decide what to do with their limited time - adhere to every last rule or take care of a patient.
I'm really surprised it's taken this long for a fine to come about.
Me: "Could you email me a copy of my (digital) xrays?" ...
Them: "Sorry, that would be a HIPAA violation."
Me: "Could you copy them to my flash drive then?"
Them: "Sorry, that would be a HIPAA violation."
Me: "Okay fine, could you print me a copy?"
Them: "Sorry, we can't print from this system. We set it up that way to save the rainforests."
Think it's about time!
The acronym ends in AA, but doesn't appear to be part of the MAFIAA. did I miss something?
who will eventually pay for those fines?
Nothing but hot air puffing up some ego.
I just love it.
to send a large middle finger to the feds by burying them in discovery (this seems fairly common, more info than needed is sent in the hopes that it is too large a task), and in response to a HIPPA complaint about their non compliance with patient medical record access, Cigna violates nearly every portion of the privacy sections of HIPPA.
I think the fine should be 10X
Create like a god, command like a king, work like a slave. -Guy Kawasaki
I first read the headline as 54.3 million and thought 'now that is a fine.' But just 4.3? I tried looking up this company and could find nothing about their revenue, prices, pay for doctors, anything. Is this a small set of clinics that doesn't give their CEO a million in expense accounts, or is it the government forgetting that companies really do compare the cost of a fine versus the cost of complying?
The fact the would not give the patients their records as requested, totally ignored all legal requests or finally coughing up 4,500 other records that were not even asked for? This health care company acted either like a spoiled petulant child or a clueless moron. Either way these are NOT the people I want keeping my records.
Far more often, I hear "We can't do that because of HIPPA" being used as a BS excuse instead of a genuine privacy protection.
First case in point, therapist who had my child and my friend's child in a room together, I wanted to go back to see how my child was doing (from the crying screams and sobbing, apparently not well), "No, we can't let you go back due to HIPPA regulations."
Similar, more benign events have always bothered me because it's just a lazy med records worker who throws HIPPA in your face rather than doing their job to get the information you are actually guaranteed access to by HIPPA.
You can read the entire Penalty notice, which lays out a good timeline of what went on. HHS sent them letters, phone calls, sign and return receipt requested letters, then subpoenaed them and after all that Cignet didn't even bother to show up in court. When the judge threatened penalties, they gave thousands of patient charts over, even though the subpoena was for only 30 records.
Looks like they had it coming, or else someone really badly has to fire their office administrator.
For the last several years I've requested and received copies of all medical imaging data. for myself, my Mother and, my Father. In a couple of cases they mailed me a CD but in all others they gave me the disc before I left. Never any hassle, I just had to ask.
The data is in DICOM http://en.wikipedia.org/wiki/Digital_Imaging_and_Communications_in_Medicine format. There are free viewers for Linux, Mac, and Windows.
I had a CT done of my head. Pretty cool to watch in 3D.
My Dad has a stint in his aorta. Watching the imaging of them testing it for leaks with radioactive contrast is wild.
Insurance companies (sometimes literally) get away with murder and it needs . Bogus denials, unreasonable payment guidelines, lousy record keeping, and piss-poor communication standards need to go! It's about time the law starts applying to this industry. This story is a start... let's hope they start having to answer to rules and regulations like every other industry in this country. Maybe then we can start repairing our flawed healthcare system.
in 3... 2... 1...
I'm a med student who has worked in several hospitals, and have yet to see one where HIPAA is rigorously followed. Directives by management are common, but when HIPAA impedes patient care (it's a hassle and timekiller to comply completely), it is always worked around. Doctors by and large, in my experience, toss HIPAA aside the first time they have to decide what to do with their limited time - adhere to every last rule or take care of a patient.
I work in a state governmental agency and we take it very seriously.
You do realize that some are going to interpret your response to mean that in government run health care the decision will be to give paperwork and rules a higher priority than patient care? I suspect this is not the impression you wanted to make. Perhaps you should elaborate on your response.
If I were a hospital or clinic, I would interpret this the opposite. This is the first time anyone has EVER been fined, and it's for blatant refusals to give medical records to dozens of people or respond to mail. Given what it takes to actually be fined, I would stop harassing people with useless HIPAA notices and using it to obstruct anything from getting accomplished whenever convenient.
tm
Support TBI Research: http://www.raisinhope.org
This doesnt faze them one bit... of the 4 hospitals they run, they have 925 beds between the 4 of them... they're racking in $$$... especially when 99% of Maryland facilities only negotiate 2% discounts.. even on a $51K bill. blasphemy!
i checked their site and found this...
HOSPITAL AFFILIATION: Southern Maryland Hospital, Clinton, MD, Doctors Community Hospital, Lanham, MD, Laurel Hospital, Laurel, MD, Prince Georges Hospital, Cheverly, MD*
then i searched the 4 hospitals...
Prince George's Hospital Center - # of beds = 329, Total Patient Revenue: $291,123,454; Total Discharges:15,789; Total Patient Days: 101,520
Southern Maryland Hospital - # of beds = 276; Total Patient Revenue: $232,772,744; Total Discharges:18,567; Total Patient Days: 72,954
Doctors Community Hospital - # of beds = 190; Total Patient Revenue: $196,845,854; Total Discharges:12,357; Total Patient Days: 51,708
Laurel Hospital - # of beds = 130; Total Patient Revenue: $91,931,570; Total Discharges: 7,266; Total Patient Days:29,500
you do the math!
This company failed to provide medical records to patients for *2 years*. That's far from just failing to adhere to every little detail.
Also seriously: One of the HIPAA loopholes that patients aren't always told about is that HIPAA privacy rules don't necessarily apply when the government gets involved. One could easily argue that Cignet shouldn't have released those 4,500 unneeded records, you bet...but one could also argue that the release of those records didn't automatically trigger a HIPAA violation, as they were released in response to an oversight request, e.g. "Covered entities may usually disclose PHI to a health oversight agency for oversight activities authorized by law." (source: CDC.gov). If HITECH changed that, it'd be news to almost everyone -- when is the last time that the government willingly adopted rules restricting their own capabilities?
Regardless, IMO if they would've done exactly the same release of information BUT responded in a timely fashion to the Government's demands, there wouldn't have even been a $43 fine. Because that's the way that the Government seems to work.
And the unwashed masses still think HIPAA is spelled "HIPPA"
THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE
they tried the bury them with paper defense. this rarely works against the government or any other large group that can throw all the bodies at the problem that they need.
1. Sorry, but not sure in what sense this is "the first monetary fine issued since the Act was passed in 1996."
July 19, 2008: A Seattle-based health system has agreed to pay a $100,000 HIPAA fine to HHS--as well as improve its medical data security--after failing to properly secure data backup tapes, disks and laptops. This marks the first time HHS has agreed to a Resolution Agreement. During 2005 and 2006, medical data was stolen from Providence Health & Services several times, with backup tapes, optical disks and laptops being lost or stolen repeatedly. All told, the unencrypted personal health information of more than 386,000 patients was compromised.
http://www.fiercehealthit.com/story/seattle-system-will-pay-100k-hipaa-fine-after-repeated-breaches/2008-07-19#ixzz1F0nM91Sd
2. In 1996 there was nothing to fine. The rules to which these fines apply went into effect in 2005 for large organizations, 2006 for small ones. HHS started auditing in 2007. First fine 2008.
3. Do they teach fact-checking in journalism any more?
Stephen Cobb, CISSP
So please don't go creating a nationwide medical information regulation behemoth on my account. Also, can I have my money back? I'm happy to stick with whatever privacy my doctor thinks is appropriate/inexpensive, and of course the fact that pretty much nobody cares in the first place. This is why these things should be determined by the marketplace. Government misdirects capital.
Anyone who complains about the high cost of healthcare and at the same time thinks HIPAA is a good idea doesn't know the slightest thing about healthcare. HIPAA compliance adds a tremendous bureaucratic burden on healthcare providers and is so effective that it has produced one successful lawsuit in 15 years. What a triumph. Billions wasted with no discernible benefit.
"The health care industry's toothless tiger finally bared its teeth [...]"
Congratulations on writing one of the worst sentences ever.
All they'll do is pass the cost to patients. If you want the law to have teeth, you threaten to throw their officers' sorry asses into pound-me-in-the-ass prison. That'll get their undivided attention and obedience.
ELOI, ELOI, LAMA SABACHTHANI!?
Mass General agreed to pay a $1 million fine this past week for a HIPAA violation. One of its staff members left the records for 192 patients on a subway train. They were never recovered.
http://www.hhs.gov/news/press/2011pres/02/20110224b.html
These are the kinds of practices HIPAA was designed to prevent. I, for one, am glad to see HHS enforcing these rules. Just the fact that someone could be carrying the records for 192 patients around with them while commuting shows how cavalierly some medical staff handle their patients' personal data.
Don't worry the "Conservative" courts will void it on appeal. You have to protect the corporations, the economy depends on them. All people are created equal, but some are more equal than others....
putting the 'B' in LGBTQ+
And smartasses forget the periods at the end of sentences.
They don't run those hospitals. They are a small medical practice with just a few doctors. One admin office and one patient care office. If this fine stands up, they are done.
Obviously there's regional variation for this. I'm also a med student who has worked in several hospitals, and I've yet to find one where HIPAA is *not* rigorously followed, even when this creates weird and novel situations. Such as when a white board for patient names, details, and staff assignments is visible to patient or public areas, and gets changed to entire list of last name's first two letters plus first initial. So everyone is Le or Je or Su or Ma, and basically it looks like the entire patient population is now Vietnamese.
In my experience, the issue is with people less educated about HIPAA's constraints and permissible information sharing instead taking it as a blanket ban about discussing *anything* about a patient - even when in non-public areas and among a treatment team. In point of fact, the JHACO regs around patient identifying information and public discussion tend to be stricter than HIPAA when it comes to medical centers.
Da Blog
most people save them in Word documents on a shared drive, accessible by anyone in the institution and blatantly violating HIPAA
I've seen that happen. But you know what? You can make Word encrypt your docs quite securely with a single click. There's really no excuse for leaving world-readable docs lying about when it's so trivial to harden them.
Da Blog
"as much as 90 percent of the published medical information that doctors rely on is flawed"
I'm pretty sure there's a Sturgeon's Corollary out there someplace, where it is revealed that as each discipline begins to examine itself, it finds that the evolution of its episteme tends to approach Sturgeon's Revelation asymptotically.
Welcome to reality, where if you live long enough, everything you think you know *for sure* will turn out to be wrong. Or maybe just misguided. The real test is how you deal with new knowledge. Do you keep up and stay current, or do just relax and maintain an elaboration of a worldview and assumptions fundamentally frozen during your adolescence. Doctors are taught over and over in med school that what they are learning is provisional, rapidly changing, and contingent. Many fail to assimilate that important lesson, but many do not.
Da Blog
Windows is NOT universal for medical record storage. Linux and AS400 are very much in use. Also windows does not silently push our any patches to our network. Each one is reviewed and approved before distribution to our workstations and servers using wsus. HIPPA is taken very seriously at all levels in our hospital and our IS organization. Our CIO literally stays up nights worrying over potential security holes.
Please mod me 1 or troll. It's where the truth is these days, even on Slashdot. Beware the power of moderators everywh
yep. And the bigger they are, the more likely they are on a UNIX system. I make most of my money because the kids don't get the difference between / and \
In your overly ornate categorical prescription of the "difference" between the reified 'Science' and 'Arts' as discrete and self-similar fields of human activity, you are conflating intentionality with ontology. You also ascribing a teleological direction to the "progress" of human activity, and authoring a moral judgement upon the "forces" that constrain "scientific progress" within medicine. Lastly, I suspect you are promulgating Polanyi-Kuhn incommensurablity between scientific paradigms, a notion that has many supporters, but also many detractors, and is in many areas orthogonal to your teleological framing. You fail to address the tension between these two theses. In short, your argument as presented, while possessing merit, does not produce a sufficient synthesis to derive a satisfactory conclusion especially when considering your moral focus.
Da Blog
I always RTFA. The fact that you and I both seem to have read the same material, and are using the same language and grammer, yet are failing to communicate, is in a sense the essence of incommensurability in action. We are expressing different paradigms, which is ironic given the Polanyi-Kuhn comment. The fact that you say do not know who Polanyi or Kuhn were or what they said does not negate the fact that you used an argument very similar to theirs.
Da Blog