Cignet Health and Massachusetts General Hospital found out the HHS is getting serious about HIPAA violations. HHS imposed a $4.3 million penalty on Cignet Health for HIPAA violations and Mass General agreed to pay the Feds $1 million to settle potential HIPAA violations.
Mass General’s case involved the loss of protected health information (PHI) of 192 patients of Mass General’s Infectious Disease Associates outpatient practice. That works out to over $5000 per record lost. Cignet’s was found to violate 41 patients’ rights by denying them access to their medical records.
In 2010, Rite Aid agreed to pay $1 million to settle a HIPAA privacy case after failing to safeguard consumer information.
HIPAA has been in place for a long time now, but its enforcement and the financial impact of violations have been hard to pinpoint until recently. With these cases, it’s become apparent that violations can be expensive.
IT shares the responsibility for HIPAA protection of all medical electronic records and patient information. With the recent HIPAA enforcement actions, it’s becoming increasingly important that health care IT runs in a secure, audited data center.
IT can assure HIPAA compliant hosting by running its servers and data storage in HIPAA compliant data centers that address the physical, data and network security. Ask to review the data center’s SAS 70 or SSAE 16 audit report and a copy of their HIPAA audit report. The audit reports should specifically cover the processes for the data center’s physical security, network security and control of access to the data on the server.