Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

First Ever HIPAA Fine Is $4.3M

Soulskill posted more than 3 years ago | from the why-rush-things dept.

Medicine 197

Trailrunner7 writes "The health care industry's toothless tiger finally bared its teeth, as the US Department of Health and Human Services issued a $4.3M fine to a Maryland health care provider for violations of the HIPAA Privacy Rule. The action is the first monetary fine issued since the Act was passed in 1996. The US Department of Health and Human Services (HHS) issued a Notice of Final Determination to Cignet Health care of Temple Hills, Maryland on February 4. The notice followed a finding by HHS's Office of Civil Rights that Cignet failed to provide 41 patients with copies of their medical records and for failing to respond to requests from HHS's Office of Civil Rights for information related to the complaints."

cancel ×

197 comments

Sorry! There are no comments related to the filter you selected.

FERPA (1)

ecklesweb (713901) | more than 3 years ago | (#35316584)

Next thing you know, the feds be enforcing FERPA [ed.gov] .

Re:FERPA (0)

Anonymous Coward | more than 3 years ago | (#35316650)

Do you have any basis for suggesting FERPA is not currently enforced? My father is a high school principal and has been contacted by ED over FERPA due to unfounded complaints made by a handful of parents. No idea what would happen if he had ignored the ED inquiry, but they seem to at least make the appearance that they enforce it.

Re:FERPA (1)

ibpooks (127372) | more than 3 years ago | (#35316742)

I'm not sure what your point is. The schools where I have worked do follow FERPA, and to my knowledge record privacy and portability is well respected throughout the education system.

Re:FERPA (0)

Anonymous Coward | more than 3 years ago | (#35317354)

Following FERPA (or HIPAA) is not the same as enforcing it. I follow the speed limit laws; I do not have the authority to enforce them.

Re:FERPA (1)

ibpooks (127372) | more than 3 years ago | (#35317652)

If everyone is following the law voluntarily, no enforcement actions are necessary.

Re:FERPA (1)

Bengie (1121981) | more than 3 years ago | (#35317680)

One of the largest student information systems out there communicates over the internet unencrypted and that includes everything from address to SSNs. I do lots of student data imports from thousands of schools and I have had it many times where I had to tell schools that they shouldn't be putting SSNs/etc out on FTP. Many times I would bug them to switch to sFTP and even helped them configure their firewalls for sFTP. That's not even my job but I feel I should help them.

Re:FERPA (1)

by (1706743) (1706744) | more than 3 years ago | (#35317006)

When I applied to grad school, I believe they explicitly gave me the option to waive what I can only assume were my FERPA rights with regards to letters of rec (that is, I waived my right to read the letters). Giving someone the option to waive rights (as opposed to just taking them away...) -- what a concept! (I did, of course, waive that right, as it seemed a good-faith thing to do...seemed to work, at any rate.)

Re:FERPA (2)

oneiros27 (46144) | more than 3 years ago | (#35317114)

As someone who's both managed university systems and who's specifically requested that their directory information not be made public as per the Buckley amendment, I can tell you that it's taken very seriously.

The problem was, they were using people's SSNs as unique identifiers throughout the system. It was event printed on your student ID card. That's what needs to fixed -- the government needs to force companies/colleges/whatever to stop using and exposing people's SSNs all the damned time.

Re:FERPA (2)

KingMotley (944240) | more than 3 years ago | (#35317346)

No, the real solution is that no one should expect SSN's to be a secret. It is not a password, and it should never be used as one.

Re:FERPA (1)

Cyberax (705495) | more than 3 years ago | (#35317404)

No, the government should stop people accepting SSNs as authenticators.

They work just fine as ID numbers.

Re:FERPA (1)

Skidborg (1585365) | more than 3 years ago | (#35318308)

Except that there's a few other people in the country who have the exact same one as you...

Re:FERPA (1)

KingAlanI (1270538) | more than 3 years ago | (#35317598)

I do give RIT credit for switching to RIT-specific 9-digit numbers for that purpose; that change was affected a few years before I started there, I think.
I've heard some other mentions of "it's FERPA rules" before.

Then again, even if a law isn't (heavily) enforced, many entities follow it anyway.

Portability, not security (1)

einstein4pres (226130) | more than 3 years ago | (#35316592)

I'm surprised that the first fine is due to the portability aspect of the law, not the security portions of the law. Of course, either is a win for consumers!

Re:Portability, not security (1)

chowdahhead (1618447) | more than 3 years ago | (#35316780)

I'm not so sure:

When the health care provider was ordered by a court to respond to the requests, it disgorged not just the patient records in question, but 59 boxes of original medical records to the U.S. Department of Justice, which included the records of 11 individuals listed in the Office of Civil Rights Subpoena, 30 other individuals who had complained about not receiving their medical records from Cignet, as well as records for 4,500 other individuals whose information was not requested by OCR.

Sounds like... (1)

publiclurker (952615) | more than 3 years ago | (#35317402)

they tried the bury them with paper defense. this rarely works against the government or any other large group that can throw all the bodies at the problem that they need.

Re:Sounds like... (1)

Kazymyr (190114) | more than 3 years ago | (#35317676)

Correct. Government: "We have all the time and manpower we need. After all we're paid by...*drumroll*... YOU!"

I pity the fool who doesn't understand this.

Re:Portability, not security (2)

jc42 (318812) | more than 3 years ago | (#35317486)

I'm surprised that the first fine is due to the portability aspect of the law, not the security portions of the law.

I'm not. Anyone familiar with medical records and computer security issues considers the security portions of HIPAA a joke.

The primary reason is that medical records are pretty much universally kept on MS Windows systems. There are several reasons why this makes data security a joke. The main one has been discussed here at /. several times: Windows has an automatic update feature, which you can turn off for "application" level software. However, it can't be turned off for "system" level software. MS has admitted that this has been true since XP. Their excuse is that kernel security issues are taken seriously, and updates are mandatory.

However, if you think about this for a few seconds, it obviously means that any time your Windows system is connected to the Internet, MS can silently install any new software they like. If your machine isn't reporting the contents of selected files to a .microsoft.com site now, it could be by the time you read this, and unless you're a real Windows security guru, you'd never suspect.

So if you're running Windows, you must assume that anyone who has "socially engineered" a connection at MS has access to all of your data.

And, less you think this is all spurious, you might look around in the records of the internet back in the 1990s when MS was first supplying systems with internet access. There are multiple reports of people getting curious about why their modem's lights were flickering when the machine was idle. Attaching a line monitor showed that the traffic was a list of the contents of the disk, being sent to a .microsoft.com address. The server on the other end could obviously also ask for the contents of files. This was ignored by the media and most managers, but it was noticed by the geeks among us with even minimal understanding of network security. Similar behavior has been reported for most releases of Windows.

This all has obvious application to HIPAA rules. My wife has worked with medical data for several decades now, at several employers. Every one of them worked exclusively on Windows systems. She has a Windows partition on her Mac "for work", and uses it a lot. She also has a work-supplied take-home Windows laptop. It's true that they use VPN to connect to the office computer systems. But this does nothing for the above issues. Since her Windows partition and laptop are connected to our home network, VPN just supplies an internet connection to her office machines, so their "silent upgrade" feature can work any time she's connected. This shoots down any claims that her office is protected from malicious sites (such as microsoft's ;-) by VPN. We've verified that both her Windows systems can easily access .microsoft.com web sites while connected via VPN, showing that there is a data path for MS's silent update software to work.

This is hardly a secret. We've discussed it here on /., and it's been discussed in lots of other forums. Microsoft has a clear and obvious silent path to any medical data stored on their systems, any time they have an internet connection, which is almost all medical systems in the US. Anyone who can bribe the right people at MS also has such access.

So the fact that HIPAA rules don't forbid the use of MS Windows makes those rules a joke. I'd bet that many medical records people understand all this. It should be no surprise that they treat HIPAA data security as a joke.

It's interesting to consider non-MS systems in this light. Fully open-source systems are probably immune to such problems, since they'd be exposed fairly quickly. Apple systems are about half open-source, but most of the kernel and the UI have hidden source. Apple systems haven't been documented to have any behavior like those described above, so there's a good chance that such backdoors don't exist on Macs. But we can't prove this, because we aren't permitted access to the low-level source. Macs apparently don't do silent updates, but we can't prove that, either. Is there a way to either expose such backdoors or prove they don't exist on Macs?

One of the basic rules of computer security is that you don't run any code unless you have the source (and have compiled it yourself). Any binary-only software should be assumed to contain backdoors that give unknown outsiders access to your entire system. HIPAA permits the use of binary-only software such as MS Windows. Therefor, it's insecure.

More to come? (4, Interesting)

idiot900 (166952) | more than 3 years ago | (#35316596)

I'm a med student who has worked in several hospitals, and have yet to see one where HIPAA is rigorously followed. Directives by management are common, but when HIPAA impedes patient care (it's a hassle and timekiller to comply completely), it is always worked around. Doctors by and large, in my experience, toss HIPAA aside the first time they have to decide what to do with their limited time - adhere to every last rule or take care of a patient.

I'm really surprised it's taken this long for a fine to come about.

Re:More to come? (1)

Wyatt Earp (1029) | more than 3 years ago | (#35316636)

I work in a state governmental agency and we take it very seriously.

Paperwork first, patient care second? (0)

perpenso (1613749) | more than 3 years ago | (#35317044)

I'm a med student who has worked in several hospitals, and have yet to see one where HIPAA is rigorously followed. Directives by management are common, but when HIPAA impedes patient care (it's a hassle and timekiller to comply completely), it is always worked around. Doctors by and large, in my experience, toss HIPAA aside the first time they have to decide what to do with their limited time - adhere to every last rule or take care of a patient.

I work in a state governmental agency and we take it very seriously.

You do realize that some are going to interpret your response to mean that in government run health care the decision will be to give paperwork and rules a higher priority than patient care? I suspect this is not the impression you wanted to make. Perhaps you should elaborate on your response.

Re:Paperwork first, patient care second? (2)

BitZtream (692029) | more than 3 years ago | (#35317388)

Why isn't it? We've made LAWS saying that this stuff IS important.

And also having worked in government public health, it is something taken very seriously. Lifes ARE on the line. Example: A database with aids patient information being 'leaked' in the wrong part of the wrong state/country to the wrong people very well might end up with people being beat to a bloody pulp because some ignorant fuck finds out some guy has AIDS and assumes that means he's also gay AND deserves a beating.

Theres of course all the issues of discrimination due to ignorance when it comes to medicine as well, especially with things relating to mental health.

So yes, I expect them to follow the law and if that means occasionally it hurts people then we either change the law or we accept that the good it does outweighs problems it causes.

You however, DO NOT GET TO DECIDE because THE PUBLIC COLLECTIVELY HAS DECIDED.

You're looking at it through a tiny instant in time through a tiny pinhole and ignoring everything else trying to come up with an instance to justify your reaction to his statement, the problem is that you are completely unqualified (I say that based on the fact that you raised the question alone) to make that decision, which is why it isn't your decision and there are laws relating to it.

Again. YOU DON'T GET TO DECIDE WHICH LAWS TO FOLLOW AND WHEN YOU FOLLOW THEM, but you do get to vote for the people who make the laws. Change the laws or follow them, nothing else is acceptable.

Re:Paperwork first, patient care second? (1)

Local ID10T (790134) | more than 3 years ago | (#35317774)

Again. YOU DON'T GET TO DECIDE WHICH LAWS TO FOLLOW AND WHEN YOU FOLLOW THEM, but you do get to vote for the people who make the laws. Change the laws or follow them, nothing else is acceptable.

Yes, I do. The court may decide to punish me for breaking a law, but it is always my decision whether or not I will follow a law. See the concepts of civil disobedience [wikipedia.org] and free will [wikipedia.org] . An unjust law should never be followed, and even a just law should not be followed blindly.

Re:Paperwork first, patient care second? (1)

perpenso (1613749) | more than 3 years ago | (#35318136)

You're looking at it through a tiny instant in time through a tiny pinhole and ignoring everything else trying to come up with an instance to justify your reaction to his statement, the problem is that you are completely unqualified (I say that based on the fact that you raised the question alone) to make that decision, which is why it isn't your decision and there are laws relating to it.

No. I am looking at poster #1 who offered a very specific situation. Poster #2 then offered a very general and somewhat tangential response that could be interpreted several ways due to its vagueness. I pointed this out to poster #2, offering one interpretation that he probably did not intend and suggested he elaborate to avoid this miscommunication.

Your hysteria is causing you to see things that are not there.

Re:Paperwork first, patient care second? (1)

Wyatt Earp (1029) | more than 3 years ago | (#35317428)

Did I saw I work in health care?

No I didn't and HIPAA doesn't just apply to patient care, it also applies to mental health, disabilities, etc.

I stand by my comment - I work in a state governmental agency and we take it very seriously.

Re:More to come? (0)

Anonymous Coward | more than 3 years ago | (#35317070)

I work in a state governmental agency... so you don't have to be efficient.

Re:More to come? (1)

Wyatt Earp (1029) | more than 3 years ago | (#35317446)

Lives aren't on the line at my job, paperwork is, so we take HIPAA seriously.

Re:More to come? (1)

snookerhog (1835110) | more than 3 years ago | (#35316688)

+1 Informative

Are there any studies out there about how much HIPAA compliance costs?

Re:More to come? (2)

ColdWetDog (752185) | more than 3 years ago | (#35316778)

Are there any studies out there about how much HIPAA compliance costs?

Probably. They won't mean much. HIPAA is the new boogyman so any 'compliance cost' estimate will be full of untested assumptions, incorrect assumptions, wild ass guess and gonzo statistics. It's really NOT all that hard to follow most of the HIPAA rules. DHS has made it clear that they're not going after each and every little mistake that people make but are instead going after willful, major violations, such as the one in TFA.

The biggest problem with HIPAA, IMHO, is that the free pass it gives insurers to send your private medical information to any of their friends, er, business partners. No, they can't just post it on the Internet, but the first time you're medical record reflects anything more serious than a bladder infection, be assured that every insurance broker in the country will know about it. But the general privacy rules are a reasonable balance between patient privacy and medical workflow.

Re:More to come? (1)

Hylandr (813770) | more than 3 years ago | (#35317040)

Are there any studies out there about how much HIPAA compliance costs?

Probably. They won't mean much. HIPAA is the new boogyman so any 'compliance cost' estimate will be full of untested assumptions, incorrect assumptions, wild ass guess and gonzo statistics. It's really NOT all that hard to follow most of the HIPAA rules. DHS has made it clear that they're not going after each and every little mistake that people make but are instead going after willful, major violations, such as the one in TFA.

I used to work for a medical facility and this very thing was rampant. The ladies thought they could read the law and instantly understand what was required. They would spend hours in the conference room conjuring up IP policies they knew nothing about, and expect me to my behind on the legal line. No thanks.

That's why I left.

- Dan.

Re:More to come? (0)

Anonymous Coward | more than 3 years ago | (#35317118)

Probably about as many studies about how much it costs patients when it isn't complied with.

Re:More to come? (0)

Anonymous Coward | more than 3 years ago | (#35316720)

I'm a med student who has worked in several hospitals, and have yet to see one where HIPAA is rigorously followed.

I wrote medical software for several years. Unless the regulations have changed significantly, I doubt if there is a hospital in existence that is compliant. One key regulation involved the release of any "individually identifiable medical information", so if your doctor happens to mention that your sister was in his office yesterday with a cold, technically that is a violation. So is any unencrypted network traffic with similar information (HL7 messages, etc).

Re:More to come? (0)

Anonymous Coward | more than 3 years ago | (#35317410)

I wrote medical software for 15+ years, and was quite familiar with HIPAA. Encrypting HL7 messages was never a requirement to comply, unless you were going to print them out or put them on another (paper like) medium where they could be read easily.

And yes, it is not appropriate for a doctor to mention a diagnosis (just a cold) he made to your sister. However, the doctor telling you your sister was there yesterday is questionable. Technically, it isn't medical information, however, if a doctor is careless enough to mention it, it's quite possible the conversation won't stop there, and that is where they will run into trouble.

Re:More to come? (1)

shawb (16347) | more than 3 years ago | (#35317568)

It can even be considered a violation if a medical professional recognizes and initiates conversation with a patient outside of work. It's fine if the patient initiates conversation, but merely letting those around the patient know that you are a patient by coming and and saying "Hi!" can be a violation. However, I did hear this from people who work in more sensitive, potentially embarrassing fields; the risk of a friendly conversation being triggered as a violation is probably much greater from a proctologist or STD clinic worker than a family practice physician.

Re:More to come? (1)

Quirkz (1206400) | more than 3 years ago | (#35318170)

Yep, my wife's run into variants of this. She works in health care and I've heard her say things like, "I saw a patient in the store but they didn't seem to notice me, so I couldn't say hi" or "that patient agreed to be in an article in the paper so now I can say who she is" ...

Re:More to come? (5, Interesting)

Velex (120469) | more than 3 years ago | (#35316752)

Ah, a med student. How quaint.

One of my former co-workers once got into an argument with her provider's office about a policy change of theirs. It just so happened that office was also a client of my employer's (answering service). So, the office took it upon themselves to put two-and-two together, and they managed to have her fired. Yes, fired because she had an argument off-the-clock in a situation where she was supposed to be the customer.

I think it's good that HIPAA is being enforced. If you med types want to arrogantly view yourselves as gods or even scientists because you know a little biology, you could at least use a bit of ethics in your daily lives. Dicking around with confidential information and using it for your own amusement/revenge is not ethical.

Re:More to come? (0)

Anonymous Coward | more than 3 years ago | (#35317340)

I think it's good that HIPAA is being enforced. If you med types want to arrogantly view yourselves as gods or even scientists because you know a little biology, you could at least use a bit of ethics in your daily lives. Dicking around with confidential information and using it for your own amusement/revenge is not ethical.

Thanks for your raft of flippant assumptions.

There are only 24 hours in the day, and in a hospital, it's often the case that there is some patient care task to do literally every second you are there. Working within HIPAA takes extra time. Do you do everything strictly HIPAA or do you spend that time doing something more for your patient? Much of the time there is no way to do both. Most doctors I've met choose the latter, and those are the sort of people I want taking care of me. I don't care if random people know what my electrolytes are.

For example, progress notes must be written daily on each patient on a floor. At least one EMR system I've encountered has such a terrible UI that drafting and saving a note is functionally impossible, and the average resident is paged several times an hour to go do something. So most people save them in Word documents on a shared drive, accessible by anyone in the institution and blatantly violating HIPAA, and copy and paste when they're ready to put it in the chart.

Re:More to come? (2, Interesting)

Anonymous Coward | more than 3 years ago | (#35317490)

For example, progress notes must be written daily on each patient on a floor. At least one EMR system I've encountered has such a terrible UI that drafting and saving a note is functionally impossible, and the average resident is paged several times an hour to go do something. So most people save them in Word documents on a shared drive, accessible by anyone in the institution and blatantly violating HIPAA, and copy and paste when they're ready to put it in the chart.

Well, that's completely irresponsible, and I hope you guys get caught and fined for it.

There are only 24 hours in the day, and in a hospital, it's often the case that there is some patient care task to do literally every second you are there.

Boo hoo. Medical schools accept a ridiculously small number of students (I'm not talking about people who don't fit the bill, I'm talking about straight A students), in an attempt to maintain an artificial scarcity of doctors, in order to keep salaries high. That results in insanely high salaries for you guys, but it does also result in a ridiculous amount of work that you must do in order to earn that money. Honestly, the industry needs to pick: increase the number of doctors being trained, so that you end up with lower salaries but a more reasonable work schedule, where hospitals can hire more doctors to help share your load, or you work your ass off as you currently do. Honestly, those are both justifiable options. What is not justified is that you skirting the rules because you're swamped. That includes rules like HIPAA that affect the privacy of the patient and rules like minimum amount of rest you need to get, which affects the safety of the patient.

In other words, you're overpaid thanks to an artificial scarcity. You don't have the right to bitch about too much work, that's the price you pay for the profession you chose.

Re:More to come? (0)

Anonymous Coward | more than 3 years ago | (#35318282)

Honestly, the industry needs to pick: increase the number of doctors being trained, so that you end up with lower salaries but a more reasonable work schedule, where hospitals can hire more doctors to help share your load, or you work your ass off as you currently do.

It's considerably easier to be a straight-A student than it is to be a good doctor. Artificial scarcity notwithstanding, the average quality of the talent will go down if more people go to medical school.

There are a number of medical schools in the Caribbean that more or less anyone with a pulse can and does go to. In addition to this, there are DO schools. Most of these doctors end up at smaller community hospitals, and the quality of medicine practiced is probably considerably lower than at major teaching hospitals. Having been both a patient and on the provider side, I think it's practically impossible for an untrained patient to know if they aren't getting the best care.

That includes rules like HIPAA that affect the privacy of the patient and rules like minimum amount of rest you need to get, which affects the safety of the patient.

Many doctors are not fans of minimum rest rules because it increases the number of handoffs of patients between teams that must be done. Every time there is a handoff, information is lost, and the next team is more likely to make a mistake. This is a bigger issue than lack of sleep, but it's not intuitive to the lay public, so people don't get as angry about it.

Re:More to come? (3, Interesting)

debrain (29228) | more than 3 years ago | (#35317408)

If you med types want to arrogantly view yourselves as gods or even scientists because you know a little biology,

There isn't even much in the way of actual science or biology. For example, the well reputed author of Lies, Damned Lies, and Medical Science [theatlantic.com] claims that "as much as 90 percent of the published medical information that doctors rely on is flawed".

Re:More to come? (2)

VynlSol (1687610) | more than 3 years ago | (#35316802)

The hospital I'm at takes HIPAA compliance very seriously. From the provider side, at least, it seems admin has been able to integrate HIPAA regs into daily processes, such that they aren't burdonsome, or even noticable. I will note that TFA shows just how much it takes to wake the fed-monster up. Seems like quite a lot.

Re:More to come? (2)

dunezone (899268) | more than 3 years ago | (#35316888)

I'm a med student who has worked in several hospitals, and have yet to see one where HIPAA is rigorously followed.

Probably because no one was getting fined.

Re:More to come? (0)

Anonymous Coward | more than 3 years ago | (#35316978)

No. Probably because they were more concerned about patient care, and the need to get things done in a timely fashion.

Re:More to come? (2)

BitZtream (692029) | more than 3 years ago | (#35317498)

Yea, well patients seemed to think it was important enough to pass a law because we already established they were more concerned about 'patient care' (translation, making sure you couldn't take your records elsewhere ensuring you would stay rather than get retested for everything AGAIN at an additional cost).

The law exists because 'they' clearly aren't concerned and we 'the patients' are fucking concerned.

They lost their right to make a decision in this matter when they clearly illustrated they weren't trustworthy enough or competent enough to make that decision.

We've already been burned by their 'concern', and we've made it illegal for their 'concern' to be part of the picture.

They had their chance, they blew it, now they have to do what we fucking told them to do or pay the price for not doing so.

Rigorous vs. basic? (0)

Anonymous Coward | more than 3 years ago | (#35317136)

This company failed to provide medical records to patients for *2 years*. That's far from just failing to adhere to every little detail.

Re:More to come? (0)

Anonymous Coward | more than 3 years ago | (#35317210)

HIPAA impedes patient care it is always worked around.

What part of HIPPA impedes patient care?
Please list at least one example.

Re:More to come? (2)

DarkTempes (822722) | more than 3 years ago | (#35317224)

I fail to see how allowing patients to have a copy of records of medical diagnosis and treatment is bad for the patient or creates more work for a doctor.

Yes, I can understand how additional paperwork and rules for HIPAA can impede doctors. I don't see how that applies in this case.
The given article makes it seem like the healthcare provider was not providing copies of records that they were keeping anyway.

Re:More to come? (0)

Anonymous Coward | more than 3 years ago | (#35317394)

HIPAA is so much more than giving patients copies of records. There are ridiculous communications and auditing requirements for any sort of communication of patient data. That is the hard part.

Re:More to come? (1)

Low Ranked Craig (1327799) | more than 3 years ago | (#35317274)

As well they should. The HIPAA law is an example of unintended consequences if ever there was one. How many patients have suffered or died because information wasn't shared due to fear of legal issues? How much has this impacted the cost of care with all the systems, training, legal reviews, etc? And really, since they always seem to tell your insurance company everything what fucking good is it?

Re:More to come? (5, Insightful)

chowdahhead (1618447) | more than 3 years ago | (#35317280)

HIPPA violations are usually identified either by patient complaints to the state department of health or a Joint Commission survey. Of course they happen routinely (daily, in my experience) but only violations that are reported are actionable. And, in those cases, the concern has been correcting the deficiency, not punishing the mistake. In this particular case, Cignet Health Care ignored repeated requests for information and only under a court order did they release the records. This isn't a slip-up, it's gross negligence:

When the health care provider was ordered by a court to respond to the requests, it disgorged not just the patient records in question, but 59 boxes of original medical records to the U.S. Department of Justice, which included the records of 11 individuals listed in the Office of Civil Rights Subpoena, 30 other individuals who had complained about not receiving their medical records from Cignet, as well as records for 4,500 other individuals whose information was not requested by OCR.

Re:More to come? (1)

filthpickle (1199927) | more than 3 years ago | (#35317950)

already commented or I would mod you up. It was not intended to be punitive...if you mess something up, they tell you to fix it. An honest mistake...or even, at this point, an ignorant mistake is not what they are after at this point.

Re:More to come? (1)

filthpickle (1199927) | more than 3 years ago | (#35317844)

Out of curiosity...can you tell me which parts of the HIPPA laws are a hassle and a timekiller for a Doctor to comply with? Administrator's, IT staff, especially the billing staff sure...but a Doctor?

This is one of the few times where /. wanders into my wheelhouse. This is, unfortunately, how I make my living. And while the implementation may be sloppy for some, just about everyone I work with except tiny one doc offices take HIPPA pretty seriously. I can absolutely guarantee you that insurance claim clearinghouses and insurance companies take it very, very seriously.

Also, I would like to take this opportunity to say that I have been elbow deep in this for the last 4 years and I would like to state unequivocally that computers do not lower healthcare costs at all. It's just another vector for companies to grab a slice of the money in the US healthcare system pie. I sometimes feel that we would be better off going back to paper claims.

Dentists... (0)

Vrallis (33290) | more than 3 years ago | (#35316640)

Me: "Could you email me a copy of my (digital) xrays?"
Them: "Sorry, that would be a HIPAA violation."
Me: "Could you copy them to my flash drive then?"
Them: "Sorry, that would be a HIPAA violation."
Me: "Okay fine, could you print me a copy?"
Them: "Sorry, we can't print from this system. We set it up that way to save the rainforests." ...

Re:Dentists... (4, Informative)

Anonymous Coward | more than 3 years ago | (#35316672)

Sounds like exactly what this lawsuit was about. Not giving patients their records.

Re:Dentists... (3, Informative)

Vrallis (33290) | more than 3 years ago | (#35316710)

Yeah, and I never looked into HIPAA enough to realize until now that it included protecting the patient's right to access, not just privacy. Good ammo for my next visit.

Get your medical imaging in DICOM (2)

darkgumby (647085) | more than 3 years ago | (#35316878)

For the last several years I've requested and received copies of all medical imaging data. for myself, my Mother and, my Father. In a couple of cases they mailed me a CD but in all others they gave me the disc before I left. Never any hassle, I just had to ask.

The data is in DICOM http://en.wikipedia.org/wiki/Digital_Imaging_and_Communications_in_Medicine [wikipedia.org] format. There are free viewers for Linux, Mac, and Windows.

I had a CT done of my head. Pretty cool to watch in 3D.

My Dad has a stint in his aorta. Watching the imaging of them testing it for leaks with radioactive contrast is wild.

Re:Get your medical imaging in DICOM (-1)

Anonymous Coward | more than 3 years ago | (#35317054)

It's morons like you that know just enough to be dangerous that make medical providers shudder.

Your dad may have done a stint in the slammer, but he has a 'stent' in his aorta.

And, the contrast they use to perform the CTA or angiogram to follow up his stent isn't radioactive. It's just dense, which given your own composition, I'm sure you'll see the irony.

A perfect example of why any suggestion of saving money by involving the 'consumers' more in the decision making process is laughable at best.

Re:Get your medical imaging in DICOM (2)

BitterOak (537666) | more than 3 years ago | (#35317098)

It's morons like you that know just enough to be dangerous that make medical providers shudder.

What you fail to explain is how the fact that the poster as seen CT images of his head or his dad's heart makes him dangerous. I don't recall him saying that he plans to perform home surgery based on these pictures.

Re:Get your medical imaging in DICOM (1)

Stormthirst (66538) | more than 3 years ago | (#35317438)

What you fail to explain is how the fact that the poster as seen CT images of his head or his dad's heart makes him dangerous. I don't recall him saying that he plans to perform home surgery based on these pictures.

Perhaps you should re-read his post - it reads: "A perfect example of why any suggestion of saving money by involving the 'consumers' more in the decision making process is laughable at best."

Re:Get your medical imaging in DICOM (2)

muridae (966931) | more than 3 years ago | (#35317492)

It's idiots like you that are dragging the medical profession the same direction as lawyers.

GP said s/he had a CT, and his/her father had a radioactive contrast scan. Now, sure, contrast for a CT scan isn't normally radioactive. But it is in a PET scan, though specialists may call it a tracer. Same for SPECT, V/Q, and scintigraphs. And a few of those would be useful for checking out a stent.

Yes, there are dangerous patients who think they know more than doctors do. There are also patients who spot things that doctors ignore because the doctors are used to seeing something else. A patient can be involved in their own medical care without being pushy and a 'know-it-all'.

But, since you are a know-it-all type who presumed all sorts of things about the GP, you probably didn't even realize that. You thought that doctors never make typos, and no medical records transcriptionist would ever misspell 'stint' and 'stent', or confuse 'below knee' with 'bologna'.

Re:Get your medical imaging in DICOM (1)

DeadCatX2 (950953) | more than 3 years ago | (#35317520)

If it weren't for assholes like you who wish to keep a patient's own data from them, perhaps more people would understand these things. Maybe if the doctors actually TALKED TO THEIR PATIENTS instead of just treating them like some lab animal, more people would understand these things. Maybe, just maybe, people aren't as dumb as you think they are.

Re:Get your medical imaging in DICOM (1)

treeves (963993) | more than 3 years ago | (#35317776)

And if you are a "health care professional", you're a pretty good counterexample.

Re:Dentists... (1)

tacokill (531275) | more than 3 years ago | (#35317236)

It also applies to any medical records your employer is privy to. Don't forget that when you consider the implications of patient's right to access.

Any employer who is not paying attention to HIPAA is going to (eventually) get in trouble. It's not just healthcare providers and doctors who have to worry about it. It's anyone who handles medical records and/or medical information. Drug test results, results of pre-employment physicals, DOT testing results, etc, etc. All of these are HIPAA related between you and your employer.

I suspect the lawyers are just waiting for a few test cases to trickle through before they open up the floodgates. This CIGNET case is pretty egregious but there will be other cases that will be more nuanced.

Re:Dentists... (1)

sconeu (64226) | more than 3 years ago | (#35317978)

I did RTFA, and I'm not sure if the fine was for the denial of access, or for the extra 4500 people submitted to HHS's office of civil rights.

Re:Dentists... (1)

blivit42 (980582) | more than 3 years ago | (#35318010)

I'm not so sure the HIPAA fine is in regard to denying patients access to their own data. I work at a medical institution, and went through a half day's worth of online HIPAA training a few months ago. It included the whole history of lots of bad things that have happened in the past, why we need patient privacy, ethics, various examples of who can and can not access the data, etc.. The entire training course was all about protecting patient privacy from third parties. Nowhere was there any discussion about patients having the right to access their own data. If there is a provision regarding this in HIPAA, I can say that it's definately not included in standard training courses (and my course was a standard course from a company that many institutions use for their HIPAA training).

If you read further in the article, you will see that HHS requested the patient records on behalf of the patients who had filed complaints. Rather than simply provide records for the 41 patients in question, Cignet complied by pulling the standard legal BS of swamping them with 59 boxes of records, including those of ~4500 *other* individuals. THIS is likely where the HIPAA fine is coming from -- the release of records for 4500 patients to a party not authorized to see them (I assume HHS was only authorized to see the records of the 41 individuals who filed complaints). This would work out to be roughly $1000 per "incident".

This was incredible stupidity on Cignet's part. They got what they deserved.

Re:Dentists... (1)

filthpickle (1199927) | more than 3 years ago | (#35318130)

Another thing to check is how they bill your visit to your insurance company.

I doubt many are billing outright fraudulently...but they might bill a code that implied that the doctor had seen you directly for 30 minutes...when he had actually been in the room for about 3. There is a cheaper rate for that. Since almost nobody ever looks at this, it never gets caught. Except if you were that provider that didn't know I had that level of acess to my insurance claims...and that understanding of what the procedure codes were. (They IMMEDIATELY changed it when I brought it to their attention).

Re:Dentists... (-1)

Anonymous Coward | more than 3 years ago | (#35316810)

Me: No X-rays please, my teeth aren't causing me trouble at the moment.
Dentist: No problem.

All of the problems with my teeth are found visually during regularly scheduled checkups.

Too many xrays everywhere. Most of dentistry x-rays fall in the useless category. The only useful dentistry x-rays are related to tooth surgery (eg. extraction of impacted teeth) or possibly infection under the tooth. The latter causes significant pain without any visible cavities on the tooth surface. It's like the lessons of the past generation are completely forgotten and it's back to "x-rays are good!". Well, pointless xrays are bad because radiation is not indifferent.

http://en.wikipedia.org/wiki/Shoe-fitting_fluoroscope

Re:Dentists... (2)

ColdWetDog (752185) | more than 3 years ago | (#35316868)

Me: "Could you email me a copy of my (digital) xrays?" Them: "Sorry, that would be a HIPAA violation."

That would be since your name is one them and, as we all know, email is basically and electronic postcard. You certainly can make secure email systems and larger health care organizations often have them. Smaller places just don't want to bother with it yet. Keep whining at them.

Me: "Could you copy them to my flash drive then?" Them: "Sorry, that would be a HIPAA violation."

That's not a HIPAA violation, that's a obvious security issue. Nobody in their right mind would let you plug some random flash drive into the hospital network.

Me: "Okay fine, could you print me a copy?" Them: "Sorry, we can't print from this system. We set it up that way to save the rainforests." ...

If that's really true, then the health care provider is bullshitting you. Everybody has the capacity to print on xray film - that's the current 'lowest common denominator" for radiologic data. The other common way is a CD and pretty much anybody I've seen can at least do CDs of CT or MRI data (since that is always digital anyway).

HIPAA is currently being used as the common excuse for not wanting to do something in Medical Records. It's a handy little boogyman. There has to be some upside to Governmental regulation.

Re:Dentists... (0)

Anonymous Coward | more than 3 years ago | (#35317534)

"Nobody in their right mind would let you plug some random flash drive into the hospital network."

I have worked at several hospital and medical schools. The safest think they could do is plug your flashdrive into their system. Most of the time their systems are so infested with malware, virus, ect that your flash would catch something first.

I remember a hospital who set up a MRI and connected it to the network and had root as the user name and no password. The operators where irate when we made them change the account name and have a complex password. It went up to the hospital's attorney who only agreed with us when we pointed out it was a HIPPA violation to have patient data (scans) accessible to the internet without a password.

Re:Dentists... (1)

filthpickle (1199927) | more than 3 years ago | (#35318188)

They can email it to you. I am not asking for a discussion on whether this is the right way to do it...but a password protected zip/rar/etc passes HIPAA muster, as long as the password isn't in the email itself ofc. Although I completely agree with you, HIPAA is used as an excuse for not wanting to do something. And a way for a lot of companies to make a lot of money.

Re:Dentists... (1)

altek (119814) | more than 3 years ago | (#35317298)

They're required by law to provide you with the records you are requesting. X-ray data is considered part of your medical record, and legally you are the owner of it. Not sure if you actually had this discourse, or if it's hypothetical, but if it's the former, you should probably remind them of that fact. Then again, I don't know if dentistry is subject to the same regulations as hospitals / other health care providers, but I would assume so. What I said definitely applies to hospitals.

I for one (1)

Aighearach (97333) | more than 3 years ago | (#35316718)

Think it's about time!

I don't get it (0)

Anonymous Coward | more than 3 years ago | (#35316724)

The acronym ends in AA, but doesn't appear to be part of the MAFIAA. did I miss something?

And please, (1)

no-body (127863) | more than 3 years ago | (#35316726)

who will eventually pay for those fines?

Nothing but hot air puffing up some ego.

Re:And please, (1)

Anonymous Coward | more than 3 years ago | (#35316762)

Your logic is impeccable! We shouldn't fine polluters for fouling the water or the air either, since those costs will just be passed on to the consumers!

Re:And please, (1)

JoeMerchant (803320) | more than 3 years ago | (#35316942)

You will actually reap the benefits of those fines by having a lower federal debt, or possibly lower taxes in the future.

Meanwhile, the customers of the fined company will suffer, but not as much as they do by continuing to use them as a service provider.

Re:And please, (1)

no-body (127863) | more than 3 years ago | (#35317124)

$ 4.3 M - Oh, come on, get a perspective!

http://www.usdebtclock.org/ [usdebtclock.org]

Where are they? Fffft - gone!

First it will get paid out of corporate funds - reduces profit, taxes and, since profitability is a must - stockholders want their cut - the customers will come up for it.
Size of company/revenue in relation to penalty is unknown, which would be interesting, is it even worth a scratch?
Maybe lawyers are making more on it challenging the whole thing.

Re:And please, (1)

Anonymous Coward | more than 3 years ago | (#35317230)

I think the point is to make it more expensive to not follow HIPAA than to follow it.

There are other hospitals that customers can go to. As you said, it will get paid out of corporate funds, which reduces profit. They may raise prices to cover it, but I'm sure they've already figured out the most profitable price - raise it any higher and it will drive away more customers than they'll make back with the higher price.

At least that's how it's supposed to work, right?

Re:And please, (2)

RollingThunder (88952) | more than 3 years ago | (#35317294)

The company.

If they try to pass that on to their customers, their customers will leave them; there is ample competition for that to be an effective punishment that can't simply be fobbed off.

Re:And please, (1)

Locke2005 (849178) | more than 3 years ago | (#35317634)

Yeah, sure, because everybody shops for medical services with price as their primary concern!

Re:And please, (1)

filthpickle (1199927) | more than 3 years ago | (#35318292)

This is why I love the idea of non-specialists being paid a monthy amount based on how many patients they have. You don't get any more for ordering expensive and unecessary tests. You don't get any less for using a cheaper, common-sense, remedy that is just as effective.

You don't have any incentive to schedule unecessary follow up visits....you get paid the same no matter how many times you see me. If I feel like you are putting me off or avoiding treating me...I go find another doctor and you don't get anything from me anymore.

Of course the devil is in the details, but I think this would work better than what we have.

cut off nose to spite face (2)

ygthb (84559) | more than 3 years ago | (#35316764)

I just love it.

to send a large middle finger to the feds by burying them in discovery (this seems fairly common, more info than needed is sent in the hopes that it is too large a task), and in response to a HIPPA complaint about their non compliance with patient medical record access, Cigna violates nearly every portion of the privacy sections of HIPPA.

I think the fine should be 10X

Re:cut off nose to spite face (2)

blair1q (305137) | more than 3 years ago | (#35316854)

Cignet != Cigna

Re:cut off nose to spite face (2)

altek (119814) | more than 3 years ago | (#35317072)

Also, HIPPA != HIPAA.

Re:cut off nose to spite face (0)

ygthb (84559) | more than 3 years ago | (#35317886)

OK, I admit, fingers faster than brain.

Yes, it is Cignet

and yes it is HIPAA

Just 4.3? (1)

muridae (966931) | more than 3 years ago | (#35316794)

I first read the headline as 54.3 million and thought 'now that is a fine.' But just 4.3? I tried looking up this company and could find nothing about their revenue, prices, pay for doctors, anything. Is this a small set of clinics that doesn't give their CEO a million in expense accounts, or is it the government forgetting that companies really do compare the cost of a fine versus the cost of complying?

Which is worse here - take your pick! (2)

hilldog (656513) | more than 3 years ago | (#35316800)

The fact the would not give the patients their records as requested, totally ignored all legal requests or finally coughing up 4,500 other records that were not even asked for? This health care company acted either like a spoiled petulant child or a clueless moron. Either way these are NOT the people I want keeping my records.

More of an excuse than a protection (0)

Anonymous Coward | more than 3 years ago | (#35316824)

Far more often, I hear "We can't do that because of HIPPA" being used as a BS excuse instead of a genuine privacy protection.

First case in point, therapist who had my child and my friend's child in a room together, I wanted to go back to see how my child was doing (from the crying screams and sobbing, apparently not well), "No, we can't let you go back due to HIPPA regulations."

Similar, more benign events have always bothered me because it's just a lazy med records worker who throws HIPPA in your face rather than doing their job to get the information you are actually guaranteed access to by HIPPA.

Mystery (1)

mr100percent (57156) | more than 3 years ago | (#35316848)

You can read the entire Penalty notice [hhs.gov] , which lays out a good timeline of what went on. HHS sent them letters, phone calls, sign and return receipt requested letters, then subpoenaed them and after all that Cignet didn't even bother to show up in court. When the judge threatened penalties, they gave thousands of patient charts over, even though the subpoena was for only 30 records.

Looks like they had it coming, or else someone really badly has to fire their office administrator.

Re:Mystery (1)

Fujisawa Sensei (207127) | more than 3 years ago | (#35316902)

Not the office administrator, the lawyers.

It's about time! (0)

Anonymous Coward | more than 3 years ago | (#35316920)

Insurance companies (sometimes literally) get away with murder and it needs . Bogus denials, unreasonable payment guidelines, lousy record keeping, and piss-poor communication standards need to go! It's about time the law starts applying to this industry. This story is a start... let's hope they start having to answer to rules and regulations like every other industry in this country. Maybe then we can start repairing our flawed healthcare system.

Re:It's about time! (0)

Anonymous Coward | more than 3 years ago | (#35317074)

*needs to stop. (n00b)

And the crowd discovers the true purpose of HIPPA (0)

Anonymous Coward | more than 3 years ago | (#35316948)

in 3... 2... 1...

Re:And the crowd discovers the true purpose of HIP (2)

altek (119814) | more than 3 years ago | (#35317318)

And the unwashed masses still think HIPAA is spelled "HIPPA"

Well (1)

ShooterNeo (555040) | more than 3 years ago | (#35317080)

If I were a hospital or clinic, I would interpret this the opposite. This is the first time anyone has EVER been fined, and it's for blatant refusals to give medical records to dozens of people or respond to mail. Given what it takes to actually be fined, I would stop harassing people with useless HIPAA notices and using it to obstruct anything from getting accomplished whenever convenient.

Re:Well (1)

iamhigh (1252742) | more than 3 years ago | (#35317112)

That was my thought... just now, after 15 years, and it was blatent; not just refusal to the consumer/patient, but to the regulators. Not to mention it had nothing to do with the security portion of the bill. The security issues worry me much more than some doctor holding records hostage.

Re:Well (1)

RKThoadan (89437) | more than 3 years ago | (#35317184)

It may be the first fine but I've worked at a hospital where they were investigating a complaint and it is an extremely major hassle to deal with. I'm guessing it would compare nicely to an IRS tax audit.

Also, like the vast majority of cases in the legal system, most HIPAA violations are settled out-of-court and I'm sure money has been paid, but it's only considered a fine if a court has to order it.

Until, like the FCC... (2)

Tmack (593755) | more than 3 years ago | (#35317096)

The company that got the fine turns around and challenges the Government's right to meddle with private businesses, and gets the penalty eliminated while saying the USDH doesnt have the authority to fine people.... I swear, if we have Departments setup to regulate businesses, what good does it do to not allow them to actually enforce their regulations???

tm

HAHA 4.3M is a slap in the face to us, not them! (2, Informative)

Anonymous Coward | more than 3 years ago | (#35317130)

This doesnt faze them one bit... of the 4 hospitals they run, they have 925 beds between the 4 of them... they're racking in $$$... especially when 99% of Maryland facilities only negotiate 2% discounts.. even on a $51K bill. blasphemy!

i checked their site and found this...
HOSPITAL AFFILIATION: Southern Maryland Hospital, Clinton, MD, Doctors Community Hospital, Lanham, MD, Laurel Hospital, Laurel, MD, Prince Georges Hospital, Cheverly, MD*

then i searched the 4 hospitals...
Prince George's Hospital Center - # of beds = 329, Total Patient Revenue: $291,123,454; Total Discharges:15,789; Total Patient Days: 101,520
Southern Maryland Hospital - # of beds = 276; Total Patient Revenue: $232,772,744; Total Discharges:18,567; Total Patient Days: 72,954
Doctors Community Hospital - # of beds = 190; Total Patient Revenue: $196,845,854; Total Discharges:12,357; Total Patient Days: 51,708
Laurel Hospital - # of beds = 130; Total Patient Revenue: $91,931,570; Total Discharges: 7,266; Total Patient Days:29,500

you do the math!

Don't diss Big Brother (1)

bittmann (118697) | more than 3 years ago | (#35317192)

Seriously -- is this fine about HIPAA, or is it about failing to snap to attention when the Big Government Agency came calling?

Also seriously: One of the HIPAA loopholes that patients aren't always told about is that HIPAA privacy rules don't necessarily apply when the government gets involved. One could easily argue that Cignet shouldn't have released those 4,500 unneeded records, you bet...but one could also argue that the release of those records didn't automatically trigger a HIPAA violation, as they were released in response to an oversight request, e.g. "Covered entities may usually disclose PHI to a health oversight agency for oversight activities authorized by law." (source: CDC.gov [cdc.gov] ). If HITECH changed that, it'd be news to almost everyone -- when is the last time that the government willingly adopted rules restricting their own capabilities?

Regardless, IMO if they would've done exactly the same release of information BUT responded in a timely fashion to the Government's demands, there wouldn't have even been a $43 fine. Because that's the way that the Government seems to work.

Not the first fine! (0)

Anonymous Coward | more than 3 years ago | (#35317714)

1. Sorry, but not sure in what sense this is "the first monetary fine issued since the Act was passed in 1996."

July 19, 2008: A Seattle-based health system has agreed to pay a $100,000 HIPAA fine to HHS--as well as improve its medical data security--after failing to properly secure data backup tapes, disks and laptops. This marks the first time HHS has agreed to a Resolution Agreement. During 2005 and 2006, medical data was stolen from Providence Health & Services several times, with backup tapes, optical disks and laptops being lost or stolen repeatedly. All told, the unencrypted personal health information of more than 386,000 patients was compromised.

http://www.fiercehealthit.com/story/seattle-system-will-pay-100k-hipaa-fine-after-repeated-breaches/2008-07-19#ixzz1F0nM91Sd

2. In 1996 there was nothing to fine. The rules to which these fines apply went into effect in 2005 for large organizations, 2006 for small ones. HHS started auditing in 2007. First fine 2008.

3. Do they teach fact-checking in journalism any more?

Stephen Cobb, CISSP

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>