Non-compliance Equals BIG Fines, Blog by Randy Kerns

By Randy Kerns, Thursday, March 10th 2011

Analyst Blogs

The Department of Health and Human Services has levied a hefty fine of $4.3 Million against a Maryland health care provider for HIPAA violations – http://threatpost.com/en_us/blogs/hipaa-bares-its-teeth-43m-fine-privacy-violation-022311.  This is a significant event and indicator for institutions and companies that deal with information that have regulations controlling access and defining the rules for storing and managing records.  The article states this is the first enforcement of the HIPAA regulations which is not accurate but it is the first enforcement since the more stringent HITECH Act was passed.  Other enforcements prior to this had been localized to regional hospitals and did not receive significant publicity.

This enforcement did receive a great deal of publicity which brings up the question, “Why now?”  There is the stated reason which was to force compliance after customer complaints and a lack of cooperation to meet the legal requirement regarding privacy data.  But, there is a more direct message being communicated here:

  • The Department of Health and Human Services is being punitive with the fine and public notification due to what seemed to be willful disregard for protecting information.
  • The fine also sends a message to other healthcare organizations to comply or face fines but, more importantly, public embarrassment.

As a quick review, the homeowners insurance orlando fl and the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009 impose requirements on control of access, breach notification, and storage of information.  Evaluator Group has written about the need to meet compliance requirements for HIPAA previously (see links at the end of the blog).

The importance of the more visible enforcement is best highlighted by an example of a meeting I had with a regional hospital about a year and a half ago.  I was meeting with the senior management of the hospital which included the CIO.  The discussion was focused on the archiving requirements for Electronic Medical Records and the different retention requirements based on the type of information.  After discussion regarding the retention requirements and the need for using storage systems that met compliance requirements that would pass an audit, the CIO recounted they were storing all their data on standard disk systems.  When asked about meeting compliance requirements, he said they were not concerned.  They were a regional hospital and the public depended on them.  If they were audited due to some complaint or had a loss of data, the public could not do without them and would have to support them for legal or financial issues.  I asked about taking measures now (regarding storing privacy data) to prevent having to deal with fines later and he said the budget would not allow that.

That was an interesting discussion.  He was admitting they knowingly were violating the regulations regarding the privacy of data but was unwilling to even consider doing something about it.  Aside from being appalled, I thought the arrogance was something that would cause an even greater impact when an incident occurred.  And it would be “when” and not “if.”

Being on the receiving end of a fine for not protecting privacy has more implications than just monetarily.

  • The bad publicity for customers and the community can lower the opinion of an institution and affect its support over the long term.
  • For the healthcare information professional, the peer group will be very aware of failings.  Not only will this cause the institution and its staff to be held with a low regard, it may have an effect on potential future employment opportunities.
  • There are long memories in the press, customers and the Department of Health and Human Services.  Any other type of incident will cause the lack of privacy protection to be brought up again.  And again.

Maybe with some institutions a $4.3 Million fine is not a major impact.  But for most it would be.  I would think it tough to put on a budget line item.
Sibling Rivalries (Indegrated Data Management)- Tiering, Data Protection and Archiving

Back to Analyst Blogs

Forgot your password? Reset it here.