Author: Crown Information Managment

Clinics Failed to Provide Patients with Records Access . . .

For the first time, federal officials have issued a civil monetary penalty to a healthcare organization for violations of the HIPPA privacy rule. Cignet Health of Prince George’s County, Md., was fined $4.3 million for the violations that involved failing to provide 41 patients with access to their medical records and then failing to cooperate with federal investigators.

The individuals affected filed records access complaints with the HHS’ Office for Civil Rights between September 2008 and October 2009. The HIPAA privacy rule requires that a covered entity, such as a clinic or hospital, provide a patient with a copy of their records no later than 60 days after a request. HHS imposed a “civil monetary penalty” of $1.3 million for Cignet’s violation of this requirement.

HHS explained in a statement that Cignet refused to respond to OCR’s demands to produce the records and failed to cooperate with OCR’s investigations of the complaints and produce the records in response to a subpoena. OCR filed a petition to enforce its subpoena in a U.S. District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means, HHS said.

Cignet failed to cooperate with OCR’s investigations from March 2009 to April 2010, constituting willful neglect to comply with the HIPAA privacy rule, according to HHS. HIPAA covered entities are required under law to cooperate with the department’s investigations. The fine for these violations was $3 million.

Case involved loss of documents that included information on patients with HIV/AIDS . . .

In the second major HIPAA enforcement agency announced by federal authorities this week, Massachusetts General Hospital and its physicians organization have entered into a resolution agreement that calls for paying a $1 million settlement and taking corrective action to avoid future violations. The case involved the loss of documents that included information on patients with HIV/AIDS.

Earlier this week, the Department of Health and Human Services announced a $4.3 million civil monetary penalty against Cignet Health. That case apparently included a heftier financial penalty because it did not involve a negotiated resolution agreement.

With the two announcements of penalties for HIPAA privacy rule violations, HHS’ Office for Civil Rights appears to be giving strong signals that its long-promised plans to ramp up enforcement efforts are now a reality. “We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement,” said OCR Director Georgina Verdugo.

The resolution agreement with Massachusetts General stems from the loss of scheduling documents for 192 patients in the hospital’s General Infectious Disease Associates outpatient practice, including those with HIV/AIDS. OCR initiated its investigation when a patient whose information was lost filed a complaint.

The patient encounter billing forms and schedules were lost on March 9, 2009, when a hospital employee, while commuting to work, left them on a subway train. They included such information as names, medical records numbers, insurance information and diagnoses.

The corrective action plan calls for Massachusetts General to:
*Develop and implement a comprehensive set of policies and procedures that ensure patient information is protected when removed from the hospital;
*Train staff members on these policies and procedures;
*Designate the director of internal audit services of Partners Healthcare System, the hospital’s parent company, to serve as an internal monitor who will conduct assessments of the hospital’s compliance with the corrective action plan and submit semi-annual reports to HHS for three years.

In a statement, Massachusetts General said that in addition to the new policies and procedures, it would also take the extra security steps of encrypting laptops and USB drives.

Charges of fraud and conspiracy in obtaining and distributing the e-mail addresses of 114,000 iPad owners . . .

Federal prosecutors arrested two men on charges of fraud and conspiracy in obtaining and distributing the e-mail addresses of 114,000 iPad 3G owners.
Those affected by the breach included military personnel, members of the Senate and the House of Representatives, and employees of NASA and the Department of Homeland Security.
Each man is charged with one count of conspiracy to access a computer without authorization and one count of fraud, according to the United States district attorney’s office in Newark. Each count carries a maximum penalty of five years in prison and a $250,000 fine.
The Goatse Security group, which the two men are a part of, originally maintained, in an open letter to AT&T in June, that it exposed the security vulnerability on the company’s site to alert it to the problem. The flaw allowed anyone to discover e-mail addresses by submitting potential iPad identification numbers to the site.
No actual e-mail messages were available through the security hole. But AT&T has described the group’s collection of data as “malicious” and has said that it could have exposed customers to spam or fraud.

Admitted to having 100s of debit cards in other people’s names sent to girlfriend’s house . . .

Jimmy Lee Theodore, 27, faced charges for identity theft, wire fraud and unauthorized debit card use.  In West Palm Beach federal court, he admitted to having hundreds of debit cards in other people’s names sent to his girlfriend’s Pembroke Pines house. According to court records when U.S. postal inspectors went to the home, they found Holy Cross Hospital patient records as well as hundreds of patient records from a doctor’s office. The wire fraud charge on its own carries a maximum sentence of 20 years in prison. Theodore had recruited his aunt to get her friends — one who worked as an emergency room clerk at Holy Cross Hospital — to steal patients’ records. The hospital clerk, Natasha Orr, cut a plea deal with federal prosecutors in January and could face up to 10 years in prison when she is sentenced later this month.
Holy Cross Hospital computer technicians found Orr had accessed about 1,500 patient files between April 2009 and September 2010. The hospital ended up offering free identity-theft monitoring to more than 44,000 patients who visited the emergency room during that period.
Source: (The Sun Sentinel, “Ringleader in Holy Cross Hospital ID thefts pleads guilty,” Jon Burstein, 6 Apr 2011)

Adam Johnson, our Operations Manager, passed away suddenly on April 22nd, 2011 . . .

Adam was a wonderful, warm person. He was soft spoken, shy and non-confrontational. If you ever had the pleasure of speaking with him, you would find his voice soothing and courteous. He was the creative mastermind behind our routing, and when it came to scheduling, he would do his level best to accommodate a client’s needs. Adam loved his work, and it showed.

From candy to Disney, Adam loved all things sweet! It was not unusual to find him with a coke and a Reese’s peanut butter cup nearby. His sense of humor was dry and usually included a movie line zinger! He always found it fun when you would respond in kind! He could talk about movies and video games for hours and when he did, his face would light up, like a kid at Christmas… or maybe I should have said Halloween, since that was his favorite time of the year. Adam used to go to Mickey’s Not So Scary Halloween party in the Magic Kingdom at Disney World. He loved the trick or treating, the dressing up, the costumes, parades, music and fireworks. He especially loved seeing the families together. Adam had a special place in his heart for family. He enjoyed spending time with his parents and sister and spoke highly of his brother. He shared dreams of marrying his fiancé Aimee, and raising children some day. He was also part of the Crown Shredding Family. A family of individuals working together, looking out for each other and helping each other grow. A family who celebrates each other’s triumphs and supports each other during the hard times. A family who will now mourn together, and provide strength for each other during this very difficult time. A corporate family who will miss and honor the memory of Adam Johnson.

“When death touches our circle, it prompts memories of the life that was lived and how it intersected with our own.”
-Debbie Burgamy

The Office of Privacy Protection reminds parents to tell their children not to give out personal information…

Now that school is in full-swing, many children are spending extra hours in front of a computer or on their cell phone with Internet access. Unfortunately, this also makes them ideal targets for identity thieves.
“The younger the victim, the more time these thieves have to exploit the child’s identity,” said Sandy Chalmers, Administrator of the Wisconsin Division of Trade and Consumer Protection. “Identity theft against a child can go undetected for years and do a lot of damage to their good name.”
The Office of Privacy Protection, part of the Bureau of Consumer Protection, reminds parents to tell their children not to give out personal information unless it’s vitally important and exchanged with a reliable source.

In addition to talking to children about potential online dangers, the Bureau of Consumer Protection’s Office of Privacy Protection also encourages parents to occasionally check their child’s credit report. If a report exists, that is a red flag, and often the first sign of identity theft.
“The credit reporting agencies do not knowingly maintain credit files on children,” Chalmers explained. “A check of your child’s credit should turn up nothing until the age of 18 unless they are the victim of identity theft or a secondary user on a credit card authorized by a parent.”

ConsumerAffairs.com

A mailing to physicians put personal info at risk . . .

CVS Caremark subsidiaries, RxAmerica and Accendo Insurance Company, provide drug benefits to those eligible for Medicare Part D.

A recent mailing to physicians, by these companies, put 175,000 individuals’ personal information at risk.  The letters, while sent to the right addresses, included a formatting error that shifted the text, allowing some lines to be visible through the envelope window!

That information included the member’s name and some combination of member ID number, drug name and date of birth.

Proposed rule requires an accounting of detailed information for disclosures that affect a person’s rights or interests…

The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is proposing changes to the Privacy Rule, pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH is part of the American Recovery and Reinvestment Act of 2009.

“This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information,” said OCR Director Georgina Verdugo. “We need to protect peoples’ rights so that they know how their health information has been used or disclosed.”

People would obtain this information by requesting an access report, which would document the particular persons who electronically accessed their protected health information. Although covered entities are currently required by the HIPAA Security Rule to track access to electronic protected health information, they are not required to share this information.

The proposed rule requires an accounting of more detailed information for certain disclosures that are most likely to affect a person’s rights or interests. The proposed changes to the accounting requirements provide information of value to individuals while placing a reasonable burden on covered entities and business associates.

Article provided by Human Health Services

Nearly half of all identity theft victims have difficulties…

The monetary costs of identity theft can be quite hefty. In fact, victims of identity theft lose an average of $2,000 to 15,000 in wages trying to deal with their cases. This is because victims spend between a day and 9 months trying to repair the financial damage caused by identity thieves, and some even spend up to a year trying to deal with their cases. On average, victims spend between $850 to $1400 in expenses related to their cases, which includes paperwork and any other legal fees.

As a result of identity theft, nearly half of all identity theft victims have difficulties obtaining credit and loans, and roughly 1/5 of victims have higher credit interest rates. Over 2/3 of victims have difficulties removing negative information from their credit scores.

The psychological impact of identity theft is also extensive on both the victims and their families. Victims often times experience anger, anxiety and depression as a result of losing their finances. Nearly half of all victims experience denial, disbelief, feel filed, and develop an inability to trust others, and over half feel unprotected by the police as well as experience rage.

IdentityTheftFacts.com