On the heels of the Cignet Health civil monetary penalty for $4.3 million only two days ago, the OCR has announced today that Mass General, one of the country's oldest and largest hospitals, has agreed to pay HHS $1 million to settle potential HIPAA violations. The incident leading to this settlement involved an employee who brought documents on the subway with her, as she intended to work on them at home. Unfortunately for Mass General, those documents contained PHI of 192 individuals and the employee accidentallty left the documents on the subway. In addition to the million dollar payment, Mass General also agreed to enter into a Corrective Action Plan, which requires the hospital to develop additional privacy policies and procedures, ensure that employees complete additional HIPAA training, and provide HHS with semi-annual reports for the next three years. The settlement agreement and Corrective Action Plan are available here.
How much does it cost to violate HIPAA? For drug store chain Rite Aid Corporation, the answer is $1 Million. Today, HHS announced that Rite Aid will pay a $1 million fine, implement a corrective action program, and sign a consent order with the Federal Trade Commission to resolve this coordinated investigation that was triggered by television media outlets capturing images of prescription bottles containing protected health information improperly disposed in trash containers accessible to the public. Even after Rite Aid pays the fine, it will feel the effects of its non-compliance for a long time to come as the FTC consent order will remain in place for 20 years.
The Federal Trade Commission (“FTC”) and several medical associations have agreed to a joint stipulation that the FTC would not enforce its Red Flags Rule with respect to physician members of various associations until the DC Circuit rules on the American Bar Association’s pending action challenging the Red Flags Rule. Although the FTC has already announced that it will again delay the deadline for compliance with the Red Flags Rule until December 31, 2010, this stipulation may extend further the compliance deadline for physicians in the medical associations and state medical societies referred to in the case.
Recognizing the confusion surrounding HITECH's significant amendments to HIPAA's Enforcement Rule, the Department of Health and Human Services ("HHS") published the Interim Final Rule on HIPAA Enforcement ("Interim Final Rule") on October 30th. The Interim Final Rule seeks to clarify the revised civil monetary penalty scheme established in HITECH, noting that many covered entities "may be unaware they are currently subject to significantly greater penalties for violations of the HIPAA rules." Indeed - the increase in the maximum aggregate penalties from $25,000 to $1,500,000 is big news for all covered entities (and now business associates too). HHS felt that this information was so important, it waived the notice and comment period and proceeded straight to the interim final rule, which becomes effective on November 30, 2009.
According to a new survey of healthcare IT practitioners, healthcare organizations are not adequately protecting confidential patient information. Sixty-one percent of those surveyed said that their organizations do not have the resources to fully comply with the federal privacy regulations. The survey results aren't entirely surprising considering the fact that organizations are struggling to comply with HITECH and make the transition to EHR. What is surprising, however, is that 70% of the respondents believe that senior management does not consider patient privacy a priority. The OCR has quite clearly stated that it intends to increase enforcement and not making protection of patient privacy a priority could be a costly decision.
Genetic information soon will be more stringently protected thanks to regulations published today by the United States Departments of Health and Human Services, Labor, and the Treasury. The Genetic Information Nondiscrimination Act of 2008 ("GINA") prohibits health insurers, health plans, and employers from discriminating against individuals based upon their genetic information. Under the interim final rules, group health plans and group and individual issuers may not do such things as raise premiums or impose pre-existing condition exclusions based upon genetic information, and they may not use genetic information for underwriting purposes. These rules will become effective on December 7, 2009.
The Office of Civil Rights ("OCR") also issued proposed rules today modifying HIPAA in accordance with GINA. If these rules are implemented in their current form, "genetic information" will be a defined term and the definition of "health information" will be modified to expressly include genetic information. Among other things, the proposed rules will prohibit health plans from using or disclosing genetic information for underwriting purposes and will require their notices of privacy practices to reflect this prohibition. The public has sixty days, up to and including December 7, 2009, to submit comments to the OCR.
ENFORCEMENT BEGINS AUGUST 1ST.
On August 1, 2009, the Federal Trade Commission (“FTC”) will begin enforcement of its "Red Flags" Rule, which is aimed at reducing identity theft. The Rule requires creditors to look for "red flags" that signal possible identity theft, and applies to any “creditor” that maintains “covered accounts.”
While most healthcare providers wouldn't usually think of themselves as traditional creditors, the Rule's definitions are broad enough to bring them into that realm.
Under the Rule, creditor is defined as any person or organization that “regularly extends, renews, or continues credit.”
- When a healthcare provider allows a patient to pay for medical services after they are rendered or accepts payments over a period of time, that provider is acting as a creditor.
Covered accounts include:
- Accounts maintained by a creditor which are primarily for personal, family, or household purposes and are designed to permit multiple payments or transactions, or
- Any other account for which there is a “reasonably foreseeable risk to consumers” of identity theft.
- Patient accounts likely fit within both of these categories.
Given the above, most healthcare providers will indeed need to comply with the "Red Flags" Rule.
View this "Red Flags" Rule PowerPoint presentation for a quick overview of the Rule's requirements and the consequences of noncompliance.
You can also consult the FTC's simplified "How-To Guide" , which provides the basics for complying with the Red Flags Rule.