It’s no secret that health IT has some of the most complex needs of all industries that exist today. Not only are the compliance requirements some of the most non-prescriptive in the IT space, the consequences of not complying can be costly.
With more then 10 million individuals employed in the industry in the US, protecting the privacy and confidentiality of a patients’ electronic medical health records from unauthorized access is paramount to achieving compliance with federal regulatory laws such HIPAA, the HITECH Act, the American Recovery and Reinvestment Act and other laws that apply to healthcare organizations.
What happens if you don’t comply with these health IT compliance requirements? Just ask Cignet Health.
Last year, for the first time in history, federal officials issued a civil monetary penalty (CMP) to a healthcare organization for violations of the HIPAA privacy rule. When Cignet Health of Prince George’s County, Md. failed to provide 41 patients with access to their medical records and then failed to cooperate with federal investigators, HHS imposed a CMP of $4.3 million for the violations.
In a Notice of Proposed Determination issued Oct. 20, 2010, the OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations of each complaint. Because the HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request, Cignet’s CMP began at $1.3 million.
Making matters worse for Cignet, OCR also found that the medical service provider failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010. OCR found that the failure to cooperate was due to Cignet’s willful neglect to comply with the HIPAA, which states that covered entities are required under law to cooperate with the Department’s investigations. Based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the HITECH Act, Cignet’s fine was increased by an additional $3 million.
The Cignet case is of course an extreme, and the organization knowingly violated patient rights, but what about a data breach?
We’ve covered this and much more in our latest white paper, “Delivering Hosting Solutions for Healthcare.” Download it free today, and feel free to reach out if you have any questions or need more information regarding HIPAA compliance and how it relates to the compliance solutions we offer at Carpathia.