HIPAA Cases Hold High-Dollar Message About Portable Electronics

Hospitals and hospitalists should expect more aggressive enforcement of protected health information regulations following a $1 million settlement paid by Massachusetts General Physicians Organization Inc. over documents on 192 patients left on the subway by a MassGen employee, a top hospitalist says.

The payment – part of an agreement (pdf) between MassGen and the U.S. Health and Human Services Department over "potential violations" of HIPAA rules – came at the same time as HHS issued its first civil money penalty for violations of the privacy act. The $4.3 million civil money penalty involved Cignet Health Care, a Maryland-based clinic, which HHS found had violated 41 patients’ rights by failing to provide them with access to their own medical records.

Photo credit: Cybrain/Fotolia.com

Dr. Chad Whelan, director of the division of hospital medicine at Loyola University Chicago, Maywood, said the two high-dollar enforcement moves by HHS indicate more aggressive enforcement of HIPAA is coming.

"Given the large fines and the high-profile institution [MassGen] affected, it sure seems like they are sending a message," he said in an interview. "I would fully expect more stringent enforcement in the coming years, and we will likely see more payouts."

To safeguard themselves, physicians and hospitals need to take a hard look at their policies regarding electronic storage and transmission of protected health information across multiple electronic devices, especially smartphones and tablet-style electronic devices, Dr. Whelan said.

"The beautiful thing about computers, smartphones, and electronic medical records is that [they make it] amazingly easy to store, access, and share information," he said. "The terrifying thing about computers, smartphones and electronic medical records is that [they make it] amazingly easy to store, access, and share information.

"Medical centers and hospitalists must be aware of this tension between improving care through information access and sharing and the risk to confidentiality through easier information access and sharing. These settlements are the first shot across the bow to all of us that HHS is certainly taking a long, hard look at this balance," Dr. Whelan said.

Office of Civil Rights director Georgina Verdugo said as much in a statement involving the MassGen settlement. "We hope the health care industry will take a close look at this agreement and recognize that the OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information," Ms. Verdugo said.

The MassGen incident involved hard copies of protected health information from the hospital’s Infectious Disease Associates outpatient practice, and included patients with HIV and AIDS, according to HHS. The documents involved included a patient schedule with names for all of the patients, plus billing encounter forms with identifying information such as name, date of birth, health insurer, and policy number for 66 of the same patients.

A MassGen employee left the information on a subway while commuting to work, and it was never recovered. One of the patients involved filed a complaint with HHS, which investigated and found that MassGen had "failed to implement reasonable, appropriate safeguards to protect the privacy of [protected health information] when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule."

MassGen said in a statement that it will implement a corrective action plan over the next 3 years designed to enhance protection of protected health information when it is physically removed from the hospital’s property for work purposes. The organization also said it will issue new or revised policies and procedures dealing with laptop encryption and USB drive encryption.

"After these policies and procedures are issued, we will be providing mandatory training on them," the hospital said. "All members of our workforce must participate in the training and certify that they have completed it."

It’s very unusual for an employee to intentionally violate HIPAA, but it’s the inadvertent violations that potentially can cause trouble, said Dr. Whelan. "It is far more likely that a well-meaning employee simply forgets the basics of patient protection on a device and then accidentally misplaces the device, leaving it open for anyone with basic computer skills to access," he said.

Traditional concern has been focused on data stored on portable computer hardware, such as hard drives, CDs, and laptops, he said. But "with the increased availability of electronic medical records, it will only become easier to have information about patients in portable formats. With paper, it was difficult to carry records of hundreds of patients around. Now, it is remarkably easy."

The explosion of extremely portable devices such as smart phones and iPads poses new risks, Dr. Whelan said. "How many people have patient information stored or accessible through these omnipresent devices? Certainly, patient information that has been sent through e-mail is easily accessed through a smartphone. Hospitals need to develop policies around encryption and support end users in encrypting the multiple devices they may use to levels that are acceptable to HHS."

In order to better safeguard protected data, hospitals need to have enterprise-wide programs in data information management, but also need to help employees make certain any data-storage or transmission devices they use are HIPAA-compliant, Dr. Whelan said.

"Hospitalists should be involved in both policy development and process implementation to assure that the benefits of electronic data storage are not lost in order to reduce the risk of HIPAA violation," he added.

Hospitals and hospitalists should expect more aggressive enforcement of protected health information regulations following a $1 million settlement paid by Massachusetts General Physicians Organization Inc. over documents on 192 patients left on the subway by a MassGen employee, a top hospitalist says.

The payment – part of an agreement (pdf) between MassGen and the U.S. Health and Human Services Department over "potential violations" of HIPAA rules – came at the same time as HHS issued its first civil money penalty for violations of the privacy act. The $4.3 million civil money penalty involved Cignet Health Care, a Maryland-based clinic, which HHS found had violated 41 patients’ rights by failing to provide them with access to their own medical records.

Photo credit: Cybrain/Fotolia.com

Dr. Chad Whelan, director of the division of hospital medicine at Loyola University Chicago, Maywood, said the two high-dollar enforcement moves by HHS indicate more aggressive enforcement of HIPAA is coming.

"Given the large fines and the high-profile institution [MassGen] affected, it sure seems like they are sending a message," he said in an interview. "I would fully expect more stringent enforcement in the coming years, and we will likely see more payouts."

To safeguard themselves, physicians and hospitals need to take a hard look at their policies regarding electronic storage and transmission of protected health information across multiple electronic devices, especially smartphones and tablet-style electronic devices, Dr. Whelan said.

"The beautiful thing about computers, smartphones, and electronic medical records is that [they make it] amazingly easy to store, access, and share information," he said. "The terrifying thing about computers, smartphones and electronic medical records is that [they make it] amazingly easy to store, access, and share information.

"Medical centers and hospitalists must be aware of this tension between improving care through information access and sharing and the risk to confidentiality through easier information access and sharing. These settlements are the first shot across the bow to all of us that HHS is certainly taking a long, hard look at this balance," Dr. Whelan said.

Office of Civil Rights director Georgina Verdugo said as much in a statement involving the MassGen settlement. "We hope the health care industry will take a close look at this agreement and recognize that the OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information," Ms. Verdugo said.

The MassGen incident involved hard copies of protected health information from the hospital’s Infectious Disease Associates outpatient practice, and included patients with HIV and AIDS, according to HHS. The documents involved included a patient schedule with names for all of the patients, plus billing encounter forms with identifying information such as name, date of birth, health insurer, and policy number for 66 of the same patients.

A MassGen employee left the information on a subway while commuting to work, and it was never recovered. One of the patients involved filed a complaint with HHS, which investigated and found that MassGen had "failed to implement reasonable, appropriate safeguards to protect the privacy of [protected health information] when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule."

MassGen said in a statement that it will implement a corrective action plan over the next 3 years designed to enhance protection of protected health information when it is physically removed from the hospital’s property for work purposes. The organization also said it will issue new or revised policies and procedures dealing with laptop encryption and USB drive encryption.

"After these policies and procedures are issued, we will be providing mandatory training on them," the hospital said. "All members of our workforce must participate in the training and certify that they have completed it."

It’s very unusual for an employee to intentionally violate HIPAA, but it’s the inadvertent violations that potentially can cause trouble, said Dr. Whelan. "It is far more likely that a well-meaning employee simply forgets the basics of patient protection on a device and then accidentally misplaces the device, leaving it open for anyone with basic computer skills to access," he said.

Traditional concern has been focused on data stored on portable computer hardware, such as hard drives, CDs, and laptops, he said. But "with the increased availability of electronic medical records, it will only become easier to have information about patients in portable formats. With paper, it was difficult to carry records of hundreds of patients around. Now, it is remarkably easy."

The explosion of extremely portable devices such as smart phones and iPads poses new risks, Dr. Whelan said. "How many people have patient information stored or accessible through these omnipresent devices? Certainly, patient information that has been sent through e-mail is easily accessed through a smartphone. Hospitals need to develop policies around encryption and support end users in encrypting the multiple devices they may use to levels that are acceptable to HHS."

In order to better safeguard protected data, hospitals need to have enterprise-wide programs in data information management, but also need to help employees make certain any data-storage or transmission devices they use are HIPAA-compliant, Dr. Whelan said.

"Hospitalists should be involved in both policy development and process implementation to assure that the benefits of electronic data storage are not lost in order to reduce the risk of HIPAA violation," he added.

Hospitals and hospitalists should expect more aggressive enforcement of protected health information regulations following a $1 million settlement paid by Massachusetts General Physicians Organization Inc. over documents on 192 patients left on the subway by a MassGen employee, a top hospitalist says.

The payment – part of an agreement (pdf) between MassGen and the U.S. Health and Human Services Department over "potential violations" of HIPAA rules – came at the same time as HHS issued its first civil money penalty for violations of the privacy act. The $4.3 million civil money penalty involved Cignet Health Care, a Maryland-based clinic, which HHS found had violated 41 patients’ rights by failing to provide them with access to their own medical records.

Photo credit: Cybrain/Fotolia.com

Dr. Chad Whelan, director of the division of hospital medicine at Loyola University Chicago, Maywood, said the two high-dollar enforcement moves by HHS indicate more aggressive enforcement of HIPAA is coming.

"Given the large fines and the high-profile institution [MassGen] affected, it sure seems like they are sending a message," he said in an interview. "I would fully expect more stringent enforcement in the coming years, and we will likely see more payouts."

To safeguard themselves, physicians and hospitals need to take a hard look at their policies regarding electronic storage and transmission of protected health information across multiple electronic devices, especially smartphones and tablet-style electronic devices, Dr. Whelan said.

"The beautiful thing about computers, smartphones, and electronic medical records is that [they make it] amazingly easy to store, access, and share information," he said. "The terrifying thing about computers, smartphones and electronic medical records is that [they make it] amazingly easy to store, access, and share information.

"Medical centers and hospitalists must be aware of this tension between improving care through information access and sharing and the risk to confidentiality through easier information access and sharing. These settlements are the first shot across the bow to all of us that HHS is certainly taking a long, hard look at this balance," Dr. Whelan said.

Office of Civil Rights director Georgina Verdugo said as much in a statement involving the MassGen settlement. "We hope the health care industry will take a close look at this agreement and recognize that the OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information," Ms. Verdugo said.

The MassGen incident involved hard copies of protected health information from the hospital’s Infectious Disease Associates outpatient practice, and included patients with HIV and AIDS, according to HHS. The documents involved included a patient schedule with names for all of the patients, plus billing encounter forms with identifying information such as name, date of birth, health insurer, and policy number for 66 of the same patients.

A MassGen employee left the information on a subway while commuting to work, and it was never recovered. One of the patients involved filed a complaint with HHS, which investigated and found that MassGen had "failed to implement reasonable, appropriate safeguards to protect the privacy of [protected health information] when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule."

MassGen said in a statement that it will implement a corrective action plan over the next 3 years designed to enhance protection of protected health information when it is physically removed from the hospital’s property for work purposes. The organization also said it will issue new or revised policies and procedures dealing with laptop encryption and USB drive encryption.

"After these policies and procedures are issued, we will be providing mandatory training on them," the hospital said. "All members of our workforce must participate in the training and certify that they have completed it."

It’s very unusual for an employee to intentionally violate HIPAA, but it’s the inadvertent violations that potentially can cause trouble, said Dr. Whelan. "It is far more likely that a well-meaning employee simply forgets the basics of patient protection on a device and then accidentally misplaces the device, leaving it open for anyone with basic computer skills to access," he said.

Traditional concern has been focused on data stored on portable computer hardware, such as hard drives, CDs, and laptops, he said. But "with the increased availability of electronic medical records, it will only become easier to have information about patients in portable formats. With paper, it was difficult to carry records of hundreds of patients around. Now, it is remarkably easy."

The explosion of extremely portable devices such as smart phones and iPads poses new risks, Dr. Whelan said. "How many people have patient information stored or accessible through these omnipresent devices? Certainly, patient information that has been sent through e-mail is easily accessed through a smartphone. Hospitals need to develop policies around encryption and support end users in encrypting the multiple devices they may use to levels that are acceptable to HHS."

In order to better safeguard protected data, hospitals need to have enterprise-wide programs in data information management, but also need to help employees make certain any data-storage or transmission devices they use are HIPAA-compliant, Dr. Whelan said.

"Hospitalists should be involved in both policy development and process implementation to assure that the benefits of electronic data storage are not lost in order to reduce the risk of HIPAA violation," he added.