in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

HIPAA Encryption: Fines Not Related To Data Security Are Also Something To Think About

From time to time I cover stories and issues where HIPAA/HITECH and medical data encryption intersect.  Today, I'm going to just observe that HIPAA/HITECH involves more than patient data security, and that the HHS is not a sleeping lion anymore.

Cignet Health Fined for Not Collaborating

On February 22, the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) imposed a fine of $4.3 million on Cignet Health of Prince George's County, MD.

Of the total amount, $1.3 million was for denying patients access to their own medical files, which is a violation of the HIPAA Privacy Rule.  Under this rule, patients must be provided a copy of their medical records no later than 60 days from the original request (it's supposed to be 30 days from the request, but can be extended an additional 30 days if permission is granted).

The other $3 million was imposed because:

During the investigations, Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.

OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the Department’s investigations. The CMP for these violations is $3 million. [sunherald.com, my emphasis]

Dang, what the heck was Cignet thinking?  They refused to respond and to cooperate?  Plus, if the OCR was able to obtain a default judgment, it implies that Cignet didn't even bother to show up in court when summoned.  That's essentially saying, "hey, I admit to whatever I'm being accused of and agree to make it legally binding."  And when Cignet did eventually deliver the patient records,

Cignet delivered 59 boxes of records to the U.S. Justice Department, which contained not only the records of the 41 patients, but also the records for 4,500 other patients who did not request their release. [medpagetoday.com]

As if that's going to annoy the OCR.  If anything, OCR now probably has a reason to give Cignet another ginormous fine, since Cignet has unnecessarily shared PHI with unconcerned parties: the OCR didn't ask for the 4,500 other patients' info, so....they really shouldn't have that information.


Related Articles and Sites:
http://www.hhs.gov/news/press/2011pres/02/20110222a.html
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cignetresolutionagreement.html
http://www.healthleadersmedia.com/page-1/LED-262929/HHS-Issues-Civil-Money-Penalty-for-Privacy-Rule-Violations
http://www.sunherald.com/2011/02/22/2883973/hhs-imposes-a-43-million-civil.html
http://www.medpagetoday.com/PublicHealthPolicy/HealthPolicy/25036

 
<Previous Next>

Disk Encryption (Indirectly) Causes Data Breach: Cambridgeshire County Council Breached DPA

Data Security: Why Credit Card Data Needs To Be Encrypted On Your Computers

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.