Health IT Law Blog : Health IT Law Blog : Post & Schell: Law Firm : HIT & Electronic Health Records

Cignet Health, a Maryland health plan and a HIPAA covered entity, has been fined $4.3 million for failing to produce health records upon request to 41 patients, and for failing to cooperate with OCR with the agency's investigation.  This is the very first civil money penalty (CMP) issued by HHS under the HIPAA Privacy Rule.

Via HHS Press Release:

In a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations is $1.3 million.

During the investigations, Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

New York City's Health and Hospital Corporation notified its patients last week of a loss of electronic files containing personal data, including PHI of some 1.7 million people. Electronic files were stolen while the information management company's van was left unlocked and unattended.

This case should serve as a great reminder to:

• check your existing contracts - including Business Associate Agreements - with HIT and health information management vendors, to see if such agreements contain appropriate clauses indemnifying the provider against costs, losses, fines and other expenses incurred as a result of the vendor's loss or improper disclosure of protected personal data, including PHI;

• make sure that same contracts do not impose a cap on vendor's liability in the event of such breach;

• confirm that you have a proper breach response plan in place (which should include, e.g., where applicable, procedures for notifying patients in foreign languages); if not, bring together management, legal, IT and privacy and security offers to develop such a plan as soon as possible; and

• review your policies and procedures with respect to compliance with the HIPAA Privacy and Security Rules, especially as modified by the HITECH Act.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Dr. David Blumenthal, the head of the Office of the National Coordinator for Health IT (ONC), announced yesterday in a letter to his staff that he's leaving the ONC and returning to his position at Harvard University.  

According to Dr. Blumenthal, the move was "planned" and is expected to take place this spring. Here is a copy of his letter, via Healthcare IT News:

ONC Staff:

As you know, I have told Secretary Sebelius that I will be returning to my academic home this spring, as was planned when I accepted the position of National Coordinator for Health Information Technology. While we still have important work to do together, including the assurance of a productive transition for ONC, now is the time for me to express my deep gratitude to all of my ONC colleagues, and my admiration for all you have accomplished.

We have been privileged to be at the center of a great new enterprise at an historic moment in our health care system. For years America’s health policy leaders have understood that information technology offered the opportunity for transformational improvement of the Nation’s health care system and the health of individual Americans. Yet the obstacles are formidable: our fractured health care system, our dysfunctional payment methods, the lack of an infrastructure for exchanging health information, and more.

• Email This
• Print
• Comments
• Trackbacks
• Share Link