First Ever HIPAA Fine Is $4.3M

Trailrunner7 writes "The health care industry's toothless tiger finally bared its teeth, as the US Department of Health and Human Services issued a $4.3M fine to a Maryland health care provider for violations of the HIPAA Privacy Rule. The action is the first monetary fine issued since the Act was passed in 1996. The US Department of Health and Human Services (HHS) issued a Notice of Final Determination to Cignet Health care of Temple Hills, Maryland on February 4. The notice followed a finding by HHS's Office of Civil Rights that Cignet failed to provide 41 patients with copies of their medical records and for failing to respond to requests from HHS's Office of Civil Rights for information related to the complaints."

More to come?

[idiot900]

I'm a med student who has worked in several hospitals, and have yet to see one where HIPAA is rigorously followed. Directives by management are common, but when HIPAA impedes patient care (it's a hassle and timekiller to comply completely), it is always worked around. Doctors by and large, in my experience, toss HIPAA aside the first time they have to decide what to do with their limited time - adhere to every last rule or take care of a patient.

I'm really surprised it's taken this long for a fine to come about.

Re:More to come?

[Velex]

Ah, a med student. How quaint.

One of my former co-workers once got into an argument with her provider's office about a policy change of theirs. It just so happened that office was also a client of my employer's (answering service). So, the office took it upon themselves to put two-and-two together, and they managed to have her fired. Yes, fired because she had an argument off-the-clock in a situation where she was supposed to be the customer.

I think it's good that HIPAA is being enforced. If you med types want to arrogantly view yourselves as gods or even scientists because you know a little biology, you could at least use a bit of ethics in your daily lives. Dicking around with confidential information and using it for your own amusement/revenge is not ethical.

Re:More to come?

[ColdWetDog]

Are there any studies out there about how much HIPAA compliance costs?

Probably. They won't mean much. HIPAA is the new boogyman so any 'compliance cost' estimate will be full of untested assumptions, incorrect assumptions, wild ass guess and gonzo statistics. It's really NOT all that hard to follow most of the HIPAA rules. DHS has made it clear that they're not going after each and every little mistake that people make but are instead going after willful, major violations, such as the one in TFA.

The biggest problem with HIPAA, IMHO, is that the free pass it gives insurers to send your private medical information to any of their friends, er, business partners. No, they can't just post it on the Internet, but the first time you're medical record reflects anything more serious than a bladder infection, be assured that every insurance broker in the country will know about it. But the general privacy rules are a reasonable balance between patient privacy and medical workflow.

Re:More to come?

[VynlSol]

The hospital I'm at takes HIPAA compliance very seriously. From the provider side, at least, it seems admin has been able to integrate HIPAA regs into daily processes, such that they aren't burdonsome, or even noticable. I will note that TFA shows just how much it takes to wake the fed-monster up. Seems like quite a lot.

Re:More to come?

[dunezone]

I'm a med student who has worked in several hospitals, and have yet to see one where HIPAA is rigorously followed.

Probably because no one was getting fined.

Re:More to come?

[DarkTempes]

I fail to see how allowing patients to have a copy of records of medical diagnosis and treatment is bad for the patient or creates more work for a doctor.

Yes, I can understand how additional paperwork and rules for HIPAA can impede doctors. I don't see how that applies in this case.
The given article makes it seem like the healthcare provider was not providing copies of records that they were keeping anyway.

Re:More to come?

[chowdahhead]

HIPPA violations are usually identified either by patient complaints to the state department of health or a Joint Commission survey. Of course they happen routinely (daily, in my experience) but only violations that are reported are actionable. And, in those cases, the concern has been correcting the deficiency, not punishing the mistake. In this particular case, Cignet Health Care ignored repeated requests for information and only under a court order did they release the records. This isn't a slip-up, it's gross negligence:

When the health care provider was ordered by a court to respond to the requests, it disgorged not just the patient records in question, but 59 boxes of original medical records to the U.S. Department of Justice, which included the records of 11 individuals listed in the Office of Civil Rights Subpoena, 30 other individuals who had complained about not receiving their medical records from Cignet, as well as records for 4,500 other individuals whose information was not requested by OCR.

Re:More to come?

[debrain]

If you med types want to arrogantly view yourselves as gods or even scientists because you know a little biology,

There isn't even much in the way of actual science or biology. For example, the well reputed author of Lies, Damned Lies, and Medical Science claims that "as much as 90 percent of the published medical information that doctors rely on is flawed".

Re:More to come?

For example, progress notes must be written daily on each patient on a floor. At least one EMR system I've encountered has such a terrible UI that drafting and saving a note is functionally impossible, and the average resident is paged several times an hour to go do something. So most people save them in Word documents on a shared drive, accessible by anyone in the institution and blatantly violating HIPAA, and copy and paste when they're ready to put it in the chart.

Well, that's completely irresponsible, and I hope you guys get caught and fined for it.

There are only 24 hours in the day, and in a hospital, it's often the case that there is some patient care task to do literally every second you are there.

Boo hoo. Medical schools accept a ridiculously small number of students (I'm not talking about people who don't fit the bill, I'm talking about straight A students), in an attempt to maintain an artificial scarcity of doctors, in order to keep salaries high. That results in insanely high salaries for you guys, but it does also result in a ridiculous amount of work that you must do in order to earn that money. Honestly, the industry needs to pick: increase the number of doctors being trained, so that you end up with lower salaries but a more reasonable work schedule, where hospitals can hire more doctors to help share your load, or you work your ass off as you currently do. Honestly, those are both justifiable options. What is not justified is that you skirting the rules because you're swamped. That includes rules like HIPAA that affect the privacy of the patient and rules like minimum amount of rest you need to get, which affects the safety of the patient.

In other words, you're overpaid thanks to an artificial scarcity. You don't have the right to bitch about too much work, that's the price you pay for the profession you chose.

Re:More to come?

[BitZtream]

Yea, well patients seemed to think it was important enough to pass a law because we already established they were more concerned about 'patient care' (translation, making sure you couldn't take your records elsewhere ensuring you would stay rather than get retested for everything AGAIN at an additional cost).

The law exists because 'they' clearly aren't concerned and we 'the patients' are fucking concerned.

They lost their right to make a decision in this matter when they clearly illustrated they weren't trustworthy enough or competent enough to make that decision.

We've already been burned by their 'concern', and we've made it illegal for their 'concern' to be part of the picture.

They had their chance, they blew it, now they have to do what we fucking told them to do or pay the price for not doing so.

Re:More to come?

[Quirkz]

1. This is a false dichotomy. It's not a straight-up choice between "patient care" and "getting things done quickly" with nothing in between. 2. Following HIPPA *IS* part of patient care, and failing to follow it is most definitely failing to properly care for the patient.

Try going into a restaurant sometime and have them say "we're more concerned about getting your food out in a timely fashion than cleaning the place, so we're just going to serve you food on dirty dishes."

Re:Dentists...

Sounds like exactly what this lawsuit was about. Not giving patients their records.

Re:Dentists...

[Vrallis]

Yeah, and I never looked into HIPAA enough to realize until now that it included protecting the patient's right to access, not just privacy. Good ammo for my next visit.

cut off nose to spite face

[ygthb]

I just love it.

to send a large middle finger to the feds by burying them in discovery (this seems fairly common, more info than needed is sent in the hopes that it is too large a task), and in response to a HIPPA complaint about their non compliance with patient medical record access, Cigna violates nearly every portion of the privacy sections of HIPPA.

I think the fine should be 10X

Re:cut off nose to spite face

[blair1q]

Cignet != Cigna

Re:cut off nose to spite face

[altek]

Also, HIPPA != HIPAA.

Which is worse here - take your pick!

[hilldog]

The fact the would not give the patients their records as requested, totally ignored all legal requests or finally coughing up 4,500 other records that were not even asked for? This health care company acted either like a spoiled petulant child or a clueless moron. Either way these are NOT the people I want keeping my records.

Re:Dentists...

[ColdWetDog]

Me: "Could you email me a copy of my (digital) xrays?" Them: "Sorry, that would be a HIPAA violation."

That would be since your name is one them and, as we all know, email is basically and electronic postcard. You certainly can make secure email systems and larger health care organizations often have them. Smaller places just don't want to bother with it yet. Keep whining at them.

Me: "Could you copy them to my flash drive then?" Them: "Sorry, that would be a HIPAA violation."

That's not a HIPAA violation, that's a obvious security issue. Nobody in their right mind would let you plug some random flash drive into the hospital network.

Me: "Okay fine, could you print me a copy?" Them: "Sorry, we can't print from this system. We set it up that way to save the rainforests." ...

If that's really true, then the health care provider is bullshitting you. Everybody has the capacity to print on xray film - that's the current 'lowest common denominator" for radiologic data. The other common way is a CD and pretty much anybody I've seen can at least do CDs of CT or MRI data (since that is always digital anyway).

HIPAA is currently being used as the common excuse for not wanting to do something in Medical Records. It's a handy little boogyman. There has to be some upside to Governmental regulation.

Get your medical imaging in DICOM

[darkgumby]

For the last several years I've requested and received copies of all medical imaging data. for myself, my Mother and, my Father. In a couple of cases they mailed me a CD but in all others they gave me the disc before I left. Never any hassle, I just had to ask.

The data is in DICOM http://en.wikipedia.org/wiki/Digital_Imaging_and_Communications_in_Medicine format. There are free viewers for Linux, Mac, and Windows.

I had a CT done of my head. Pretty cool to watch in 3D.

My Dad has a stint in his aorta. Watching the imaging of them testing it for leaks with radioactive contrast is wild.

Re:Get your medical imaging in DICOM

[BitterOak]

It's morons like you that know just enough to be dangerous that make medical providers shudder.

What you fail to explain is how the fact that the poster as seen CT images of his head or his dad's heart makes him dangerous. I don't recall him saying that he plans to perform home surgery based on these pictures.

Re:Get your medical imaging in DICOM

[muridae]

It's idiots like you that are dragging the medical profession the same direction as lawyers.

GP said s/he had a CT, and his/her father had a radioactive contrast scan. Now, sure, contrast for a CT scan isn't normally radioactive. But it is in a PET scan, though specialists may call it a tracer. Same for SPECT, V/Q, and scintigraphs. And a few of those would be useful for checking out a stent.

Yes, there are dangerous patients who think they know more than doctors do. There are also patients who spot things that doctors ignore because the doctors are used to seeing something else. A patient can be involved in their own medical care without being pushy and a 'know-it-all'.

But, since you are a know-it-all type who presumed all sorts of things about the GP, you probably didn't even realize that. You thought that doctors never make typos, and no medical records transcriptionist would ever misspell 'stint' and 'stent', or confuse 'below knee' with 'bologna'.

Until, like the FCC...

[Tmack]

The company that got the fine turns around and challenges the Government's right to meddle with private businesses, and gets the penalty eliminated while saying the USDH doesnt have the authority to fine people.... I swear, if we have Departments setup to regulate businesses, what good does it do to not allow them to actually enforce their regulations???

tm

Re:FERPA

[oneiros27]

As someone who's both managed university systems and who's specifically requested that their directory information not be made public as per the Buckley amendment, I can tell you that it's taken very seriously.

The problem was, they were using people's SSNs as unique identifiers throughout the system. It was event printed on your student ID card. That's what needs to fixed -- the government needs to force companies/colleges/whatever to stop using and exposing people's SSNs all the damned time.

HAHA 4.3M is a slap in the face to us, not them!

This doesnt faze them one bit... of the 4 hospitals they run, they have 925 beds between the 4 of them... they're racking in $$$... especially when 99% of Maryland facilities only negotiate 2% discounts.. even on a $51K bill. blasphemy!

i checked their site and found this...
HOSPITAL AFFILIATION: Southern Maryland Hospital, Clinton, MD, Doctors Community Hospital, Lanham, MD, Laurel Hospital, Laurel, MD, Prince Georges Hospital, Cheverly, MD*

then i searched the 4 hospitals...
Prince George's Hospital Center - # of beds = 329, Total Patient Revenue: $291,123,454; Total Discharges:15,789; Total Patient Days: 101,520
Southern Maryland Hospital - # of beds = 276; Total Patient Revenue: $232,772,744; Total Discharges:18,567; Total Patient Days: 72,954
Doctors Community Hospital - # of beds = 190; Total Patient Revenue: $196,845,854; Total Discharges:12,357; Total Patient Days: 51,708
Laurel Hospital - # of beds = 130; Total Patient Revenue: $91,931,570; Total Discharges: 7,266; Total Patient Days:29,500

you do the math!

Re:And please,

[RollingThunder]

The company.

If they try to pass that on to their customers, their customers will leave them; there is ample competition for that to be an effective punishment that can't simply be fobbed off.

Re:And the crowd discovers the true purpose of HIP

[altek]

And the unwashed masses still think HIPAA is spelled "HIPPA"

Re:FERPA

[KingMotley]

No, the real solution is that no one should expect SSN's to be a secret. It is not a password, and it should never be used as one.

Re:Paperwork first, patient care second?

[BitZtream]

Why isn't it? We've made LAWS saying that this stuff IS important.

And also having worked in government public health, it is something taken very seriously. Lifes ARE on the line. Example: A database with aids patient information being 'leaked' in the wrong part of the wrong state/country to the wrong people very well might end up with people being beat to a bloody pulp because some ignorant fuck finds out some guy has AIDS and assumes that means he's also gay AND deserves a beating.

Theres of course all the issues of discrimination due to ignorance when it comes to medicine as well, especially with things relating to mental health.

So yes, I expect them to follow the law and if that means occasionally it hurts people then we either change the law or we accept that the good it does outweighs problems it causes.

You however, DO NOT GET TO DECIDE because THE PUBLIC COLLECTIVELY HAS DECIDED.

You're looking at it through a tiny instant in time through a tiny pinhole and ignoring everything else trying to come up with an instance to justify your reaction to his statement, the problem is that you are completely unqualified (I say that based on the fact that you raised the question alone) to make that decision, which is why it isn't your decision and there are laws relating to it.

Again. YOU DON'T GET TO DECIDE WHICH LAWS TO FOLLOW AND WHEN YOU FOLLOW THEM, but you do get to vote for the people who make the laws. Change the laws or follow them, nothing else is acceptable.

Re:Portability, not security

[jc42]

I'm surprised that the first fine is due to the portability aspect of the law, not the security portions of the law.

I'm not. Anyone familiar with medical records and computer security issues considers the security portions of HIPAA a joke.

The primary reason is that medical records are pretty much universally kept on MS Windows systems. There are several reasons why this makes data security a joke. The main one has been discussed here at /. several times: Windows has an automatic update feature, which you can turn off for "application" level software. However, it can't be turned off for "system" level software. MS has admitted that this has been true since XP. Their excuse is that kernel security issues are taken seriously, and updates are mandatory.

However, if you think about this for a few seconds, it obviously means that any time your Windows system is connected to the Internet, MS can silently install any new software they like. If your machine isn't reporting the contents of selected files to a .microsoft.com site now, it could be by the time you read this, and unless you're a real Windows security guru, you'd never suspect.

So if you're running Windows, you must assume that anyone who has "socially engineered" a connection at MS has access to all of your data.

And, less you think this is all spurious, you might look around in the records of the internet back in the 1990s when MS was first supplying systems with internet access. There are multiple reports of people getting curious about why their modem's lights were flickering when the machine was idle. Attaching a line monitor showed that the traffic was a list of the contents of the disk, being sent to a .microsoft.com address. The server on the other end could obviously also ask for the contents of files. This was ignored by the media and most managers, but it was noticed by the geeks among us with even minimal understanding of network security. Similar behavior has been reported for most releases of Windows.

This all has obvious application to HIPAA rules. My wife has worked with medical data for several decades now, at several employers. Every one of them worked exclusively on Windows systems. She has a Windows partition on her Mac "for work", and uses it a lot. She also has a work-supplied take-home Windows laptop. It's true that they use VPN to connect to the office computer systems. But this does nothing for the above issues. Since her Windows partition and laptop are connected to our home network, VPN just supplies an internet connection to her office machines, so their "silent upgrade" feature can work any time she's connected. This shoots down any claims that her office is protected from malicious sites (such as microsoft's ;-) by VPN. We've verified that both her Windows systems can easily access .microsoft.com web sites while connected via VPN, showing that there is a data path for MS's silent update software to work.

This is hardly a secret. We've discussed it here on /., and it's been discussed in lots of other forums. Microsoft has a clear and obvious silent path to any medical data stored on their systems, any time they have an internet connection, which is almost all medical systems in the US. Anyone who can bribe the right people at MS also has such access.

So the fact that HIPAA rules don't forbid the use of MS Windows makes those rules a joke. I'd bet that many medical records people understand all this. It should be no surprise that they treat HIPAA data security as a joke.

It's interesting to consider non-MS systems in this light. Fully open-source systems are probably immune to such problems, since they'd be exposed fairly quickly. Apple systems are about half open-source, but most of the kernel and the UI have hidden source. Apple systems haven't been documented to have any behavior like those described abov

Re:FERPA

[BronsCon]

Your SSN is a 9-digit number. Range: 000-00-0000 to 999-99-9999. That's 1 billion combinations. There have been more than 1 billion SSNs issued.

That, right there, tells me there are duplicates.

Since a valid SSN can't have an area number (first 3 digits) between 734 and 749, we remove 15 million numbers; that leaves 985 million. Oh, the area number also can't be higher than 772. That removes another 228 million numbers from the pool, leaving us with 757 million numbers. We can rule out 000-**-** (1 million), ***-00-**** (100 thousand), and ***-**-0000 (10 million) for a total of 11.1 million additional numbers removed from the list; drop off 666-**-**** and we lose another million. Ok, we're left with 744.9 million. Oh, and two numbers have been removed from the system after having been used in advertising. That means there are only 744,899,998 valid SSNs; less than 3/4 of the apparent pool of 1 billion.

With over 300 million living legal US residents with assigned SSNs, unless fewer than 444,899,998 deceased had an SSN assigned at some point during their life, there are multiply-assigned numbers out there. Since we're looking at nearly 50% here, there's a more than fair chance that a fair number of SSNs of living people are also multiply-asigned. Depending on how you analyze these statistics, you can estimate that anywhere from 5% to 25% of SSNs are multiply-assigned to living people right now.

5% might be rare. 25%, not so much. From what you can tell (implying 100% provability given your resources) you're probably right, nobody else has the same SSN as you. From what I just showed you, there's a chance, somewhere between 1:20 and 1:4, that someone does.

If you need sources, my primary source was http://en.wikipedia.org/wiki/Social_Security_number which I verified by perusing ssa.gov so no [citation needed] here.