Recently, the OCR singled out two prominent healthcare organizations—Cignet Health of Maryland with a penalty of $4.3 million dollars and Massachusetts General with a settlement of $1 million—both for allegedly violating the Federal HIPAA Privacy and Security Rule, the rule that protects the privacy of patient healthcare information.
A panel of healthcare experts representing legal, regulatory, IT, governance, technology, and data breach weigh in to share their insights as to what these first-round penalties indicate, what’s to come, and what healthcare organizations and providers can do. The overall conclusion: these sizeable fines signal a wake-up call for the healthcare industry and are only the beginning.
Catherine A. Allen, chairman and CEO, The Santa Fe Group, manages the Shared Assessments Program
“The Stimulus Plan and the HITECH Act, combined with the rapid growth of electronic medical records, represent a sea change in the way the healthcare industry looks at the problem of data breaches. In this climate, it is imperative that the healthcare industry understands the importance of using appropriate security and privacy safeguards and best practices. A new industry group, the ANSI/Shared Assessments PHI Program, will look at these issues in depth. In particular, we'll draw on the Shared Assessments Program's roots in financial services, bringing the members' knowledge of regulatory oversight issues and best practices to the table to help the healthcare industry meet these new demands.”
Chris Apgar, CISSP, president, Apgar & Associates, LLC
“Even if OCR does not investigate, that does not stop the filing of lawsuits for damages. Given HITECH, what looks to be increased enforcement by OCR was inevitable. I think this should send a clear message to the healthcare industry that enforcement has just started and, per an earlier statement by OCR, the focus will not just be on large organizations. While the OCR draft privacy, security and enforcement rule is not final, that does not mean OCR will not enforce rules that have been on the books since as far back as 2003. This was demonstrated by the recent OCR monetary settlements. The two provider organizations involved did not violate what could be termed HITECH requirements. They violated the HIPAA Privacy Rule, which has been around since 2003. I think it is time for healthcare organizations to move security to the front burner, especially given the significant legal risk associated with breaches and other security incidents.”
Donald L. Bradfield, senior counsel, legal department, Johns Hopkins Health System
“My takeaways from the two events, but most particularly the Mass General event, are that OCR has discovered its teeth and will not hesitate to bite hard; that putting all of the administrative pieces in place is not sufficient—actual compliance matters; that human error will not excuse the institution; and that, once onsite, OCR will not limit itself to the circumstances of the particular event but will range more broadly to other areas of HIPAA compliance.”
James Christiansen, CEO, Evantix, on-demand risk intelligence
“The healthcare organization needs to be in the driver’s seat! The financial impact of the fines to the healthcare companies is just the tip of the iceberg. The real big costs are tied to implementing the mandatory corrective actions and enduring the ongoing reporting that is typically part of the consent agreement. The worst part is the financial and organizational impact of the oversight that lasts for years. A better approach is implementing a program before an incident occurs including a plan for handling all the corrective actions. The cost of the plan can then be spread out over years and made much more manageable.”
Rick Kam, president and co-founder, ID Experts
“No healthcare organization wants a breach of their patients’ information. Without conducting regular risk assessments, all organizations are in jeopardy. Putting a documented risk assessment in place helps demonstrate HIPAA compliance and effectively addresses patient privacy gaps that might delay or complicate EHR implementation and Meaningful Use qualification. Unfortunately, the ramifications for not meeting compliance with HIPAA privacy and security rules go beyond significant fines—there will be Corrective Action Plans to follow, creation and implementation of revised policies, government agency monitoring—not to mention the potential damage and harm caused to the individuals whose information was breached.”
James C. Pyles, principal, Powers Pyles Sutter & Verville PC
"Electronic health information systems are the nuclear energy of health reform. They can bring great benefit if carefully used and controlled, and can be costly and produce catastrophic damage if not tightly controlled. Electronic health information systems make it possible, for the first time in the history of medicine, to breach the health information privacy of millions of individuals with the punch of a button; steal health information without having physical access to it (or even be on the same continent); and breach health privacy in a manner that it can never be restored."
Larry W. Walker, president of The Walker Company
“Based on my experience working with hospital governing boards, the large majority of board members have little or no real knowledge about the risk of patient health information breaches in their organizations, nor do they typically know what systems and processes are in place to prevent these breaches. It’s not due to neglect—it's simply not a part of their governance thinking, and yet it’s a distinctly critical governance accountability that must be understood and addressed by the board."
"The safety and security of patient health information is a vital trust that boards must protect through robust policies and careful, deliberate oversight. Accomplishing that begins with a board-wide understanding of the vital importance of the issue. It’s followed by ensuring the resources necessary to safeguard patients’ information are properly allocated, and that the systems and processes put into place are successfully working 24/7/365 to prevent a breach.”