I heard a vendor/presenter (who will go unnamed) say the following at HIMSS last week publicly: "privacy is dead: Facebook killed it." The sentiment that was brazenly expressed was "who gives a crap about privacy anymore?" Well the Office of Civil Rights (OCR) does for one.
Here are some recent heavy fines that were levied:
>>
The General Hospital Corporation and Massachusetts General Physicians Organization, Inc. (Mass General) has agreed to pay the U.S. government $1,000,000 to settle potential violations of the HIPAA Privacy Rule.
Mass General, one of the nation’s oldest and largest hospitals, signed a Resolution Agreement with HHS that requires it to develop and implement a comprehensive set of policies and procedures to safeguard the privacy of its patients. The settlement follows an extensive investigation by OCR.
>>
AND
>>
OCR has issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Md., (Cignet) violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS has imposed a civil money penalty (CMP) of $4.3 million for the violations, representing the first CMP issued by the Department for a covered entity’s violations of the HIPAA Privacy Rule. The CMP is based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
>>
OK, it looks like Cignet "went rogue" and that is why they got whacked so hard. Mass General is certainly not a rogue outfit and they got whacked pretty hard as well. Is OCR finally starting to send a message to the marketplace? That remains to be seen. But it is clear that we can't have a National Healthcare Information Network without more than lip service being paid to privacy and security.
Lip service to HIPAA is the historical norm, essentially it was ignored for all intents and purposes. The HITECH Act intended to change that. It purportedly was going to transform HIPAA from a paper tiger into something with electronic teeth. In theory, that is true. However, without OCR enforcement HIPAA will remain, as it has been in the past, a paper tiger and nothing more. The question remains, what will OCR's enforcement policy look like? We may have an indication with this recent fines but more is required for the health care industry to get (at least some) religion about privacy and security.
Despite all the hoopla regarding interoperability at HIMSS (the ONC was out in force) there was little in the way of privacy and security that was front and center. No real visible signs anywhere to speak of. The industry has not changed. Until OCR consistently sends the message it won't. The more things change the more they stay the same.
There is some truth to the privacy is dead refrain. U.S. privacy laws range from non existent to weak sisters compared to the EU. That is the way we like it here. Well except for two domains: 1) finanial information; and 2) health care information. That said, as discussed above with respect to protected health informaiton and HIPAA, our commitment to the second domain has been suspect to say the least. The rollout of EHRs everywhere may change all that, but for now the industry is not listening as far as I can tell.
Looking for a best of breed HIPAA Compliance Software?
To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH / HIPAA experience?
