Health Information Compliance Alert

Published on Sun Mar 05, 2006 PDF

Rule finalizes civil monetary penalty regulations.

The Final Rule on HIPAA Enforcement is here--so don't expect the feds to cut you any slack if you're not in compliance.

The rule, published Feb. 16 in the Federal Register, adopts the complete regulatory structure for implementing the civil money penalty authority of the Administrative Simplification part of HIPAA (SSA section 1176). The regulation finalizes the structure begun when the Privacy Rule was issued in 2000 and expanded by the interim final procedural enforcement rules issued in 2003. 

The rule covers the entire enforcement proces--which includes a complaint or a compliance review. A complaint or compliance review may result in informal resolution, a finding of no violation, or a finding of violation. If a finding of violation is made, a civil money penalty will be sought for the violation, which can be challenged by the covered entity through a formal hearing and appellate review process.

These regulations apply to covered entities that violate any of the rules implementing the Administrative Simplification provisions of HIPAA.

To read the rule, go to http://a257.g.akamaitech.net/7/257/2422/01jan20061800/edocket.access.gpo.gov/2006/pdf/06-1376.pdf

Patient Data Theft Demolishes Agency

If you're wondering how bad a patient information security breach might get, just take a look at Providence Home Services in Portland, OR.

On Dec. 31, 2005, a thief stole computer disks and tapes containing the medical records of 365,000 current and former Providence patients, home health agency parent Providence Health System confirms in a release.

The records, which can't be read on normal home computers, date back to 1987 and included names, addresses, dates of birth, health conditions and drug prescriptions, reports The Oregonian newspaper. Many files included Social Security numbers; some included financial information. Data on 1,500 current and former Providence employees also was included.

The disks and tapes were in an employee's car because the agency designated certain employees to take computer files home each day as an emergency backup in case of a failure of the main records system, the paper says.

Providence notified the public of the theft Jan. 25 and sent letters to the Washington and Oregon patients affected, the agency says. After public outcry, Providence agreed to arrange and pay for a credit service package for all affected patients. By Feb. 2, more than 10,000 patients had called a hotline Providence set up, the paper reported.

Patients have filed a class action lawsuit in state court against the agency, state lawmakers have vowed to hold hearings on the matter, the state Attorney General is investigating for legal violations and the Department of Health and Human Services is looking into HIPAA and other regulatory violations, according to press reports. That's in addition to the negative newspaper stories and editorials about the topic.

Identity theft predators are making the situation worse. "Scam artists are portraying themselves as Providence employees and asking for personal information such as social security numbers and bank accounts so they can 'verify' the stolen data," Providence warns in a release.