HIPAA fines realized

HIT me with your best shot

A weekly post by Wm. T. Oravecz
WTO-Associates LLC

This week, here in my State of Connecticut, our Attorney General, Richard Blumenthal announced that a settlement with Health Net, the California-based insurer, will pay the State of Connecticut $250,000. The payment is part of a settlement related to a data breach violating state and federal privacy laws for theft of a disk drive containing medical records and financial information for nearly 500,000 Connecticut residents. This is the first achieved by a state attorney general for violations of the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996, since the subsequent HITECH Act of 2009 authorized state attorneys general to enforce HIPAA. These new federal rules went into effect, September 2009 with a compliance deadline of February 22, 2010. This is not the only incident, however. By visiting the US Department of Health & Human Services website on Health Information Privacy more examples of reported failures can be referenced.

At federal level, the Office for Civil Rights (OCR) enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.

Recently, Lincoln Medical and Mental Health Center in Bronx, N.Y., notified 130,495 patients of a breach of their protected health information after seven CDs a business associate FedEx’d were lost. The hospital, part of NYC Health and Hospitals Corp. (HHC), explained why the data was not encrypted and free identity and credit protection services were not offered to affected patients. “Under the HIPAA security regulations, encryption is not a legal requirement but a suggested ‘addressable’ method of safeguarding electronic protected health information.” Nevertheless, the Siemens CDs had been safeguarded using password protection. Moreover, in the very unlikely event that an unauthorized user managed to crack or bypass the password, that individual would need to know how to access and utilize Siemens’ proprietary software in order to view the information. After discussions with security experts and investigations that provided no evidence that information has been improperly accessed by any person or entity, HHC has determined that given the specific facts of this case, and the reduced level of risk and potential exposure, low-cost or free credit and protection services would be just as effective in monitoring possible identity theft as commercially available security monitoring.” (“Hospital Explains its Breach Decisions” J Goedert, HealthData Management, July 6, 2010)

So here’s the way I see it. Just like in the banking and the financial services industry, if the public’s business is going to be transacted and they want our business, they need to play by the rules and protect our privacy. Otherwise, if the covered entities (CEs) and their business associates (BAs) don’t take care of the security and our privacy, someone else will and it won’t be pretty.