Millions In Privacy Violations Wake-Up the Healthcare Industry

By in

medical

What can healthcare organizations learn from the multi- million dollar penalties recently issued by the Department of Health and Human Services Office for Civil Rights (OCR) for privacy violations?

Recently, the Office of Civil Rights singled out two prominent healthcare organizations—Cignet Health of Maryland with a penalty of $4.3 million dollars and Massachusetts General with a settlement of $1 million—both for allegedly violating the Federal HIPAA Privacy and Security Rule, the rule that protects the privacy of patient healthcare information.

A panel of healthcare experts representing legal, regulatory, IT, governance, technology, and data breach weigh in to share their insights as to what these first-round penalties indicate, what’s to come, and what healthcare organizations and providers can do. The overall conclusion: these sizeable fines signal a wake-up call for the healthcare industry and are only the beginning.

Catherine A. Allen, chairman and CEO, The Santa Fe Group, manages the Shared Assessments Program
“The Stimulus Plan and the HITECH Act, combined with the rapid growth of electronic medical records, represent a sea change in the way the healthcare industry looks at the problem of data breaches. In this climate, it is imperative that the healthcare industry understands the importance of using appropriate security and privacy safeguards and best practices. A new industry group, the ANSI/Shared Assessments PHI Program, will look at these issues in depth. In particular, we’ll draw on the Shared Assessments Program’s roots in financial services, bringing the members’ knowledge of regulatory oversight issues and best practices to the table to help the healthcare industry meet these new demands.”

Chris Apgar, CISSP, president, Apgar & Associates, LLC
“Even if OCR does not investigate, that does not stop the filing of lawsuits for damages. Given HITECH, what looks to be increased enforcement by OCR was inevitable. I think this should send a clear message to the healthcare industry that enforcement has just started and, per an earlier statement by OCR, the focus will not just be on large organizations. While the OCR draft privacy, security and enforcement rule is not final, that does not mean OCR will not enforce rules that have been on the books since as far back as 2003. This was demonstrated by the recent OCR monetary settlements. The two provider organizations involved did not violate what could be termed HITECH requirements. They violated the HIPAA Privacy Rule, which has been around since 2003. I think it is time for healthcare organizations to move security to the front burner, especially given the significant legal risk associated with breaches and other security incidents.”

>> Read more of the panels opinions