So it’s not just the patients who suffer when their medical information is breached. Now – some say finally – the hospitals are paying, too.
According to Joseph Goedert, Massachusetts General Hospital has agreed with the Department of Health and Human Services' Office for Civil Rights (OCR) to pay “a $1 million “resolution" fine and implement a corrective action plan following a breach of protected health information.”
OCR's action is the second major ruling against a health care organization in recent days for privacy rule violations, Goedert writes. OCR fined Cignet Health of Prince George’s County, Md., $4.3 million for several violations of the HIPAA privacy rule.
In the Massachusetts General case, an employee in March 2009 left behind on a subway train records for 192 patients of an infectious disease outpatient practice, including name and medical record number for all affected patients, as well as date of birth, medical insurer and policy number, diagnosis and provider names for 66 of the patients, according to Goedert.
In the Prince George’s County case, the fine is the first “civil money penalty” placed against a health care organization under the privacy rule “and the amount of the fine is based on increased penalty amounts authorized under the HITECH Act, according to OCR,” Goedert writes.
As part of its corrective action plan, Massachusetts General will be required to submit semi-annual reports to OCR for three years. "We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement," OCR Director Georgina Verdugo said in a statement, Goedert reports.
In Maryland, other medical organizations experiencing breaches cooperated with OCR during its investigation of privacy violations, according to Goedert. However, Cignet did not, “and has not agreed to a corrective action plan and the fine reflects its stance, according to OCR,” Goedert writes.
Last October, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients each filed complaints with OCR, initiating investigations of each complaint. The office fined the intransigent Cignet $1.3 million for these violations.
But OCR was not done with Cignet yet. In a statement, OCR explained the refusal of Cignet to cooperate, which resulted in additional fines totaling $3 million, Goedert says.
Ponemon Institute and ID Experts estimates that data breaches could be costing the U.S. healthcare industry between $4.2 billion and $8.1 billion a year, or an average of $6.5 billion.
Deborah DiSesa Hirsch is an award-winning health and technology writer who has worked for newspapers, magazines and IBM in her 20-year career. To read more of her articles, please visit her columnist page.Edited by
Rich Steeves
