Forgot your password?
typodupeerror
Medicine Privacy Security News Your Rights Online

First Ever HIPAA Fine Is $4.3M 197

Posted by Soulskill
from the why-rush-things dept.
Trailrunner7 writes "The health care industry's toothless tiger finally bared its teeth, as the US Department of Health and Human Services issued a $4.3M fine to a Maryland health care provider for violations of the HIPAA Privacy Rule. The action is the first monetary fine issued since the Act was passed in 1996. The US Department of Health and Human Services (HHS) issued a Notice of Final Determination to Cignet Health care of Temple Hills, Maryland on February 4. The notice followed a finding by HHS's Office of Civil Rights that Cignet failed to provide 41 patients with copies of their medical records and for failing to respond to requests from HHS's Office of Civil Rights for information related to the complaints."
This discussion has been archived. No new comments can be posted.

First Ever HIPAA Fine Is $4.3M

Comments Filter:
  • Next thing you know, the feds be enforcing FERPA [ed.gov].

    • by ibpooks (127372)

      I'm not sure what your point is. The schools where I have worked do follow FERPA, and to my knowledge record privacy and portability is well respected throughout the education system.

      • by Bengie (1121981)
        One of the largest student information systems out there communicates over the internet unencrypted and that includes everything from address to SSNs. I do lots of student data imports from thousands of schools and I have had it many times where I had to tell schools that they shouldn't be putting SSNs/etc out on FTP. Many times I would bug them to switch to sFTP and even helped them configure their firewalls for sFTP. That's not even my job but I feel I should help them.
        • by AK Marc (707885)
          When someone actually compromises an open communication over dedicated terrestrial links where they wouldn't have been able to if it were encrypted, I'll start worrying.
      • by ecklesweb (713901)

        My point is simply that there has never been an enforcement action for FERPA against any institution of higher education in the history of the legislation. Indeed the only penalty available to the FPCO for the enforcement of FERPA is the total withholding of federal funds.

    • When I applied to grad school, I believe they explicitly gave me the option to waive what I can only assume were my FERPA rights with regards to letters of rec (that is, I waived my right to read the letters). Giving someone the option to waive rights (as opposed to just taking them away...) -- what a concept! (I did, of course, waive that right, as it seemed a good-faith thing to do...seemed to work, at any rate.)
    • by oneiros27 (46144)

      As someone who's both managed university systems and who's specifically requested that their directory information not be made public as per the Buckley amendment, I can tell you that it's taken very seriously.

      The problem was, they were using people's SSNs as unique identifiers throughout the system. It was event printed on your student ID card. That's what needs to fixed -- the government needs to force companies/colleges/whatever to stop using and exposing people's SSNs all the damned time.

      • No, the real solution is that no one should expect SSN's to be a secret. It is not a password, and it should never be used as one.

      • by Cyberax (705495)

        No, the government should stop people accepting SSNs as authenticators.

        They work just fine as ID numbers.

        • by Skidborg (1585365)
          Except that there's a few other people in the country who have the exact same one as you...
          • by gblackwo (1087063)
            They aren't quite as bad as NIN numbers.
          • by AK Marc (707885)
            How many people have the same SSN as someone else? There are apparently rare errors, but from what I can tell, there are no other people in the country who have the exact same one as me, and almost all people with an SSN assigned could say the same thing.
            • by BronsCon (927697)

              Your SSN is a 9-digit number. Range: 000-00-0000 to 999-99-9999. That's 1 billion combinations. There have been more than 1 billion SSNs issued.

              That, right there, tells me there are duplicates.

              Since a valid SSN can't have an area number (first 3 digits) between 734 and 749, we remove 15 million numbers; that leaves 985 million. Oh, the area number also can't be higher than 772. That removes another 228 million numbers from the pool, leaving us with 757 million numbers. We can rule out 000-**-** (1 million),

      • I do give RIT credit for switching to RIT-specific 9-digit numbers for that purpose; that change was affected a few years before I started there, I think.
        I've heard some other mentions of "it's FERPA rules" before.

        Then again, even if a law isn't (heavily) enforced, many entities follow it anyway.

  • More to come? (Score:5, Interesting)

    by idiot900 (166952) * on Friday February 25, 2011 @03:58PM (#35316596)

    I'm a med student who has worked in several hospitals, and have yet to see one where HIPAA is rigorously followed. Directives by management are common, but when HIPAA impedes patient care (it's a hassle and timekiller to comply completely), it is always worked around. Doctors by and large, in my experience, toss HIPAA aside the first time they have to decide what to do with their limited time - adhere to every last rule or take care of a patient.

    I'm really surprised it's taken this long for a fine to come about.

    • +1 Informative

      Are there any studies out there about how much HIPAA compliance costs?

      • Are there any studies out there about how much HIPAA compliance costs?

        Probably. They won't mean much. HIPAA is the new boogyman so any 'compliance cost' estimate will be full of untested assumptions, incorrect assumptions, wild ass guess and gonzo statistics. It's really NOT all that hard to follow most of the HIPAA rules. DHS has made it clear that they're not going after each and every little mistake that people make but are instead going after willful, major violations, such as the one in TFA.

        The biggest problem with HIPAA, IMHO, is that the free pass it gives insure

        • by Hylandr (813770)

          Are there any studies out there about how much HIPAA compliance costs?

          Probably. They won't mean much. HIPAA is the new boogyman so any 'compliance cost' estimate will be full of untested assumptions, incorrect assumptions, wild ass guess and gonzo statistics. It's really NOT all that hard to follow most of the HIPAA rules. DHS has made it clear that they're not going after each and every little mistake that people make but are instead going after willful, major violations, such as the one in TFA.

          I used to work for a medical facility and this very thing was rampant. The ladies thought they could read the law and instantly understand what was required. They would spend hours in the conference room conjuring up IP policies they knew nothing about, and expect me to my behind on the legal line. No thanks.

          That's why I left.

          - Dan.

    • Re:More to come? (Score:5, Interesting)

      by Velex (120469) on Friday February 25, 2011 @04:14PM (#35316752) Journal

      Ah, a med student. How quaint.

      One of my former co-workers once got into an argument with her provider's office about a policy change of theirs. It just so happened that office was also a client of my employer's (answering service). So, the office took it upon themselves to put two-and-two together, and they managed to have her fired. Yes, fired because she had an argument off-the-clock in a situation where she was supposed to be the customer.

      I think it's good that HIPAA is being enforced. If you med types want to arrogantly view yourselves as gods or even scientists because you know a little biology, you could at least use a bit of ethics in your daily lives. Dicking around with confidential information and using it for your own amusement/revenge is not ethical.

      • Re:More to come? (Score:4, Interesting)

        by debrain (29228) on Friday February 25, 2011 @05:25PM (#35317408) Journal

        If you med types want to arrogantly view yourselves as gods or even scientists because you know a little biology,

        There isn't even much in the way of actual science or biology. For example, the well reputed author of Lies, Damned Lies, and Medical Science [theatlantic.com] claims that "as much as 90 percent of the published medical information that doctors rely on is flawed".

        • by IICV (652597)

          "as much as" is one of those awesome Humpty Dumpty phrases that doesn't mean much. It's like how stores have signs saying "Up to 80% off!" - except the only item that's actually 80% off is some piece of shit that was overpriced in the first place and is sold out already anyway.

    • by VynlSol (1687610)
      The hospital I'm at takes HIPAA compliance very seriously. From the provider side, at least, it seems admin has been able to integrate HIPAA regs into daily processes, such that they aren't burdonsome, or even noticable. I will note that TFA shows just how much it takes to wake the fed-monster up. Seems like quite a lot.
    • by dunezone (899268)

      I'm a med student who has worked in several hospitals, and have yet to see one where HIPAA is rigorously followed.

      Probably because no one was getting fined.

    • I fail to see how allowing patients to have a copy of records of medical diagnosis and treatment is bad for the patient or creates more work for a doctor.

      Yes, I can understand how additional paperwork and rules for HIPAA can impede doctors. I don't see how that applies in this case.
      The given article makes it seem like the healthcare provider was not providing copies of records that they were keeping anyway.

      • by Rich0 (548339)

        Frankly I'd go one step further.

        I'd require the patient to receive a copy of all records generated within 24 hours of them being generated. At the very least not a penny could be paid by ANYBODY towards medical care before the patient received a copy of their records.

        The patient is of course welcome to throw them in the recycling bin after getting them if they don't want them.

        I'm sure the number of trees that die as a result of this will be a fraction of those who die from routine credit card receipts that

    • As well they should. The HIPAA law is an example of unintended consequences if ever there was one. How many patients have suffered or died because information wasn't shared due to fear of legal issues? How much has this impacted the cost of care with all the systems, training, legal reviews, etc? And really, since they always seem to tell your insurance company everything what fucking good is it?
    • Re:More to come? (Score:5, Insightful)

      by chowdahhead (1618447) on Friday February 25, 2011 @05:09PM (#35317280)

      HIPPA violations are usually identified either by patient complaints to the state department of health or a Joint Commission survey. Of course they happen routinely (daily, in my experience) but only violations that are reported are actionable. And, in those cases, the concern has been correcting the deficiency, not punishing the mistake. In this particular case, Cignet Health Care ignored repeated requests for information and only under a court order did they release the records. This isn't a slip-up, it's gross negligence:

      When the health care provider was ordered by a court to respond to the requests, it disgorged not just the patient records in question, but 59 boxes of original medical records to the U.S. Department of Justice, which included the records of 11 individuals listed in the Office of Civil Rights Subpoena, 30 other individuals who had complained about not receiving their medical records from Cignet, as well as records for 4,500 other individuals whose information was not requested by OCR.

      • already commented or I would mod you up. It was not intended to be punitive...if you mess something up, they tell you to fix it. An honest mistake...or even, at this point, an ignorant mistake is not what they are after at this point.
    • Out of curiosity...can you tell me which parts of the HIPPA laws are a hassle and a timekiller for a Doctor to comply with? Administrator's, IT staff, especially the billing staff sure...but a Doctor?

      This is one of the few times where /. wanders into my wheelhouse. This is, unfortunately, how I make my living. And while the implementation may be sloppy for some, just about everyone I work with except tiny one doc offices take HIPPA pretty seriously. I can absolutely guarantee you that insurance claim clea
    • by pclminion (145572)
      HIPAA rules allow anyone who becomes aware of a violation to file a complaint, regardless of whether you are involved. The rules also forbid any sort of retaliation against you for doing so. If you are retaliated against they will slam down even harder. Why don't you report some of this stuff you are seeing?
    • Obviously there's regional variation for this. I'm also a med student who has worked in several hospitals, and I've yet to find one where HIPAA is *not* rigorously followed, even when this creates weird and novel situations. Such as when a white board for patient names, details, and staff assignments is visible to patient or public areas, and gets changed to entire list of last name's first two letters plus first initial. So everyone is Le or Je or Su or Ma, and basically it looks like the entire patient po

  • who will eventually pay for those fines?

    Nothing but hot air puffing up some ego.
    • You will actually reap the benefits of those fines by having a lower federal debt, or possibly lower taxes in the future.

      Meanwhile, the customers of the fined company will suffer, but not as much as they do by continuing to use them as a service provider.

      • by no-body (127863)
        $ 4.3 M - Oh, come on, get a perspective!

        http://www.usdebtclock.org/ [usdebtclock.org]

        Where are they? Fffft - gone!

        First it will get paid out of corporate funds - reduces profit, taxes and, since profitability is a must - stockholders want their cut - the customers will come up for it.
        Size of company/revenue in relation to penalty is unknown, which would be interesting, is it even worth a scratch?
        Maybe lawyers are making more on it challenging the whole thing.
    • The company.

      If they try to pass that on to their customers, their customers will leave them; there is ample competition for that to be an effective punishment that can't simply be fobbed off.

      • by Locke2005 (849178)
        Yeah, sure, because everybody shops for medical services with price as their primary concern!
        • by Rich0 (548339)

          True, but the prices get dictated by insurance companies based on what is reasonable and customary and all that (or likely whatever medicare pays).

          If a doctor's office calls up blue cross and tells them that they're raising rates by $10 to cover a fine, blue cross will tell them that they'll keep paying what they've been paying all along, and they don't have to accept it if they don't want it.

          The reality is more of a balance of power as conglomerates of doctors negotiate with mega-insurers. However, no sin

      • This is why I love the idea of non-specialists being paid a monthy amount based on how many patients they have. You don't get any more for ordering expensive and unecessary tests. You don't get any less for using a cheaper, common-sense, remedy that is just as effective.

        You don't have any incentive to schedule unecessary follow up visits....you get paid the same no matter how many times you see me. If I feel like you are putting me off or avoiding treating me...I go find another doctor and you don't get a
  • I just love it.

    to send a large middle finger to the feds by burying them in discovery (this seems fairly common, more info than needed is sent in the hopes that it is too large a task), and in response to a HIPPA complaint about their non compliance with patient medical record access, Cigna violates nearly every portion of the privacy sections of HIPPA.

    I think the fine should be 10X

  • I first read the headline as 54.3 million and thought 'now that is a fine.' But just 4.3? I tried looking up this company and could find nothing about their revenue, prices, pay for doctors, anything. Is this a small set of clinics that doesn't give their CEO a million in expense accounts, or is it the government forgetting that companies really do compare the cost of a fine versus the cost of complying?
    • The breakdown of the fine is quite interesting: $1.4M was for not handing over the patient records in a timely manner when requested by the patient. $3M was for not cooperating with the investigation. This was $1.5M a year for two years. It would have been tens of millions more, but the maximum per year was capped at $1.5M. The only reason the fine was even levied was because the company in question didn't even bother to offer an explanation of why their process was fubar.
  • The fact the would not give the patients their records as requested, totally ignored all legal requests or finally coughing up 4,500 other records that were not even asked for? This health care company acted either like a spoiled petulant child or a clueless moron. Either way these are NOT the people I want keeping my records.
  • You can read the entire Penalty notice [hhs.gov], which lays out a good timeline of what went on. HHS sent them letters, phone calls, sign and return receipt requested letters, then subpoenaed them and after all that Cignet didn't even bother to show up in court. When the judge threatened penalties, they gave thousands of patient charts over, even though the subpoena was for only 30 records.

    Looks like they had it coming, or else someone really badly has to fire their office administrator.

  • If I were a hospital or clinic, I would interpret this the opposite. This is the first time anyone has EVER been fined, and it's for blatant refusals to give medical records to dozens of people or respond to mail. Given what it takes to actually be fined, I would stop harassing people with useless HIPAA notices and using it to obstruct anything from getting accomplished whenever convenient.

    • by iamhigh (1252742)
      That was my thought... just now, after 15 years, and it was blatent; not just refusal to the consumer/patient, but to the regulators. Not to mention it had nothing to do with the security portion of the bill. The security issues worry me much more than some doctor holding records hostage.
    • by RKThoadan (89437)

      It may be the first fine but I've worked at a hospital where they were investigating a complaint and it is an extremely major hassle to deal with. I'm guessing it would compare nicely to an IRS tax audit.

      Also, like the vast majority of cases in the legal system, most HIPAA violations are settled out-of-court and I'm sure money has been paid, but it's only considered a fine if a court has to order it.

  • by Tmack (593755) on Friday February 25, 2011 @04:49PM (#35317096) Homepage Journal
    The company that got the fine turns around and challenges the Government's right to meddle with private businesses, and gets the penalty eliminated while saying the USDH doesnt have the authority to fine people.... I swear, if we have Departments setup to regulate businesses, what good does it do to not allow them to actually enforce their regulations???

    tm

  • by Anonymous Coward

    This doesnt faze them one bit... of the 4 hospitals they run, they have 925 beds between the 4 of them... they're racking in $$$... especially when 99% of Maryland facilities only negotiate 2% discounts.. even on a $51K bill. blasphemy!

    i checked their site and found this...
    HOSPITAL AFFILIATION: Southern Maryland Hospital, Clinton, MD, Doctors Community Hospital, Lanham, MD, Laurel Hospital, Laurel, MD, Prince Georges Hospital, Cheverly, MD*

    then i searched the 4 hospitals...
    Prince George's Hospital Center -

  • Seriously -- is this fine about HIPAA, or is it about failing to snap to attention when the Big Government Agency came calling?

    Also seriously: One of the HIPAA loopholes that patients aren't always told about is that HIPAA privacy rules don't necessarily apply when the government gets involved. One could easily argue that Cignet shouldn't have released those 4,500 unneeded records, you bet...but one could also argue that the release of those records didn't automatically trigger a HIPAA violation, as the

  • "The health care industry's toothless tiger finally bared its teeth [...]"

    Congratulations on writing one of the worst sentences ever.

  • Mass General agreed to pay a $1 million fine this past week for a HIPAA violation. One of its staff members left the records for 192 patients on a subway train. They were never recovered.

    http://www.hhs.gov/news/press/2011pres/02/20110224b.html [hhs.gov]

    These are the kinds of practices HIPAA was designed to prevent. I, for one, am glad to see HHS enforcing these rules. Just the fact that someone could be carrying the records for 192 patients around with them while commuting shows how cavalierly some medical staff

  • Don't worry the "Conservative" courts will void it on appeal. You have to protect the corporations, the economy depends on them. All people are created equal, but some are more equal than others....

"You need tender loving care once a week - so that I can slap you into shape." - Ellyn Mustard

Working...