IAPP-GDPR Web Banners-300x250-FINAL


By Angelique Carson

If the $1 million settlement reached by Massachusetts General Hospital and the Department of Health and Human Services Office for Civil Rights (OCR) last month is any indication of what’s to come, the OCR plans to take healthcare privacy enforcement seriously.

That message was confirmed recently by OCR Deputy Region 1 Manager Susan Rhodes, who discussed recent federal investigations and offered advice on how to stay compliant with HITECH security and privacy regulations.

At an IAPP KnowledgeNet event hosted by McDermott Will & Emery LLP in Boston last week, Rhodes pointed to a “significant” increase in complaints related to data breaches in 2010—242 compared with 60 in 2005. Of the complaints that were investigated, 70 resulted in corrective action. Rhodes said as electronic health records are increasingly implemented, the Security Rule will likely be increasingly implicated in OCR complaint investigations.

 “We expect to issue a final rule this year but cannot provide more specific information,” Rhodes said, responding to a multitude of questions on when to expect the rule. The HITECH Act will require HIPAA- covered entities to report data breaches to OCR and, in cases involving more than 500 individuals, the media. HITECH was passed as part of the American Recovery and Reinvestment Act of 2009. It increases penalty amounts for violations of HIPAA and encourages prompt corrective action. Prior to February 18, 2009, the maximum penalty for a HIPAA violation was $100 with a cap of $25,000 per year. Now, the penalties range from $100 to $50,000 or more per violation with a $1,500,000 cap per calendar year.

“The ways to count fines vary depending on the violations and can include fining per violation per number of days that an organization is out of compliance,” Rhodes said.

She added that where OCR has previously focused on correction action and providing technical assistance, it is “now taking a stronger enforcement approach. There’s a real push from us to really enforce.”

Implementation of HITECH Act enforcement has strengthened the HIPAA protections and rights related to an individual’s health information, she said.

OCR data shows that between September 2009 and December 2010, there were 221 reports of a breach affecting 500 individuals or more. Theft and loss accounted for 67 percent of those breaches, and 38 percent involved laptops or other portable devices.

The meeting intended to give attendees insight into OCR investigations and enforcement actions. Rhodes discussed the Mass General investigation, which she said was the result of a media report and a complaint from an individual whose personal health information was lost. The settlement involved a $1 million fine, a three-year corrective-action plan and a requirement that the hospital actively monitor compliance internally.  The impermissible disclosures were “definitely avoidable,” Rhodes said. Though policies and procedures were in place at the hospital, appropriate checks were not conducted on departmental levels, resulting in an employee leaving unprotected health information—197 patients’ information that for some included HIV/AIDS diagnoses—on the subway. The information was not recovered.

“There was no checking to make sure that information taken home was in compliance. Covered entities need to ensure that protected health information is safeguarded,” Rhodes said. She added that If employees are taking protected health information home, a covered entity needs to make sure there are appropriate policies and procedures including “assessment of minimum necessary, training and safeguards and--in cases of electronic information--possibly encryption and other safeguards and policy implementation.” Massachusetts General is now working on comprehensive safeguard policies for the way information is transported, she said.

OCR advises healthcare professionals to reduce security and privacy risks by storing data on networks or enterprise storage as opposed to local devices; encrypting data stored on desktops or portable devices; establishing and documenting clear administrative safeguards on storage devices handling electronic health records, and raising the security awareness of employees.

Rhodes noted that, under HITECH, state attorneys general are authorized to take action under HIPAA. Connecticut’s attorney general launched an investigation into a health plan’s recent breach, a trend Rhodes expects will gain traction.

“We’re training AGs throughout the country on enforcement. Connecticut is the first state AG to bring action in the U.S. Other AGs in New England are interested and active and looking at cases. So, yes, I do expect there’s going to be more state actions,” she said.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»