Cignet Health's failure to cooperate with the government's HIPAA privacy and security enforcer just cost the Maryland hospital system $3 million.
It cost the system another $1.3 million when it failed to provide patients copies of medical records within 30 (and no later than 60) days.
The message can't be any clearer: when the Office for Civil Rights (OCR) knocks, answer the door.
About 48 hours after the Cignet news broke, OCR announced a $1 million settlement against Massachusetts General Hospital in Boston for an incident involving the loss of 192 patient records belonging to Mass General's Infectious Disease Associates outpatient practice, including patients with HIV/AIDS.
One security officer who "got it" before Cignet's landmark fine and settlement were announced is Greg Young.
Young, the information security officer at Mammoth Hospital in Mammoth Lakes, CA, has worked with OCR on about a handful of investigations.
"I never had the sense they were going to let me get away with anything," Young says. "They were pretty demanding and yet always professional. At one point they reminded me that they have the last word. Though I thought I was cooperating, they wanted more details. I'm amazed that Cignet got away with as much as they did for as long as they did."
One investigation involved a former employee of the hospital who claimed his medical records were accessed inappropriately. OCR's investigation took about five to six months. Federal officials resolved that there was no such inappropriate access.
During the investigation, Young retained all his hospital's communications between the former employee and OCR in an electronic file. And he kept the audit access logs on the employee's medical records, for which OCR asked for copies.
"It was reasonable, and I shared everything with them," Young says. "We documented the incident report and the e-mail exchanges. I created an electronic folder and put copies of emails, phone calls and notes, into it and had an investigative log in there that has the timeline of all related events. They wanted me to produce audits of the complainant's record, and they ended up agreeing with us."
Another OCR investigation with Mammoth involved a patient who claimed a co-worker should not have been allowed in the treatment room; though it could not be corroborated the patient ever expressed that during the stay, Young says.
The end result came when OCR asked Mammoth to change its policies and procedures and be more proactive to ensure patients know they can refuse certain folks' presence in their hospital room.
"OCR wants to see you are taking these things seriously," Young says. "If you don't, they don't hesitate to inform you there are really going to be consequences."
Today, Young is as proactive as ever about training. One big part is issuing commendations. In fact, he awards folks for good privacy and security practices by distributing one-page commendations to individual employees, their managers and human resources.
It's little things like this that help employee morale – and help when OCR or state auditors come knocking.
"It's great for the employees," Young says. "And now, maybe they see that Greg is not just looking for the bad guys, he's looking for the good guys, too. And we're using the commendations as a tool for any regulatory agency that wants to audit us. It shows historically we encourage people to report things and then proactively respond by immediately addressing the risk before it becomes something reportable."
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.