Posted by: DonFluckinger
data breach, HIMSS11, Office for Civil Rights
Last week at the Health Information Management Systems Society’s HIMSS11 conference, the U.S. Department of Health & Human Services’ Office of Civil Rights (OCR) dropped a bombshell just as agency secretary Kathleen Sebelius was delivering her keynote: a $4.3 million HIPAA fine levied on Maryland provider Cignet Health.
It was only a matter of time before fines came down, as the people charged with enforcing the privacy rule exercised their powers newly vested by the HITECH Act.
The fine was big, no doubt, but the even bigger stunner was that it wasn’t levied because of a data breach. Instead, $1.3 million of it was for Cignet’s withholding of medical records from 41 patients who demanded them, and $3 million was for not cooperating with an OCR investigation.
To me, it sounded kind of familiar. Flashes of déjà vu fired in my HIMSS-addled brain. I’d heard this before, but where? Where?
Only after getting home, decompressing from the amazingly fruitful trip and reviewing some old recordings, did I find it. Last June, I covered a Healthcare Stimulus Exchange conference session that featured a couple of HIPAA all-star speakers: David Mayer, the OCR’s acting senior adviser for health information privacy; and Amy Leopard, a partner at the Cleveland law firm, Walter & Haverfield LLP.
In the session, Mayer explained how most HIPAA cases end up being resolved informally and without fines. HIPAA cases typically unfold with the covered entity realizing it had let slip some patient information or had violated the law in some other way, and working out a corrective plan with OCR to prevent it from happening again.
A few cases end up getting resolved formally, and a subset of those include penalties for noncooperation on the part of the covered entity. This HIPAA enforcement power isn’t used often because covered entities usually aren’t willfully circumventing HIPAA and want to fix the problem in their facility that caused the violations.
“In the regulation,” Mayer said, the covered entity “has to cooperate with OCR. We will provide in certain places, technical assistance. We have actually had a number of cases where, when we finally got in there, the covered entity had done nothing wrong — but they had stonewalled us, they had given us a bad time. So, there was a violation of the cooperation portion, even though there was no breach.” He didn’t mention Cignet by name, of course, but OCR was working on this case when he said this.
OCR clearly is setting a precedent with the Cignet penalties — saying, in effect, “If you don’t cooperate, you’ll pay.” Literally. And from our point of view, this wasn’t a borderline call: When OCR requested the 41 patients’ records, Cignet sent them, all right, along with 4,500 others in 59 boxes, according to a Washington Post report. It was a brazen move that backfired. It takes taxpayer money and time to sift through that kind of paper. Make OCR do it, apparently, and they’ll send you the bill.