MPT Podcast 8: HIPAA - Changes in HITECH and the Impact on Your Practice

Опубликовано: 19 Октябрь 2014
на канале: emedikon
1,891
like

In this Medical Practice Trends video podcast, Mike Meikle of Hawkthorne Group Consulting discusses recent changes in the enforcement of the HITECH Act and how medical practices should be prepared. Subscribe to the audio version on iTunes
https://itunes.apple.com/us/podcast/m...
/id286494996?mt=2&ign-mpt=uo%3D4
Transcript:
Dr. Polack: This is Peter J. Polack, M.D. with Medical Practice Trends and in our podcast today our guest is Mike Meikle of Hawkthorne Group consulting firm. So welcome Mike!
Mike Meikle: Good afternoon sir!
Dr. Polack: Today we are going to be talking about recent changes in the enforcement of the HITECH Act. So this is something that physicians want to really pay attention to, although right now it doesn’t seem to be an issue, we need to be aware that there’s certainly some significant potential penalties – is that right?
Mike Meikle: That’s correct - $50,000.00 per record breach.
Dr. Polack: Well, can you talk to us a little bit about this recent case that occurred and what are the implications for the typical medical practice?
Mike Meikle: Certainly. Very recently, or up until this year, the HIPAA – the Health Information Portability and Accountability Act, which has been around since 1996, though didn’t have a lot of teeth in the overall law, most medical practices and even large healthcare providers sort of recognized it was there about protected health information but they really didn’t put in their standard business process and practices to be concerned about it.
But with the advent of the HITECH Act in 2009, the enforcement of HIPAA has become more prevalent, and in February of this year, Health and Human Services assessed a $4.3 million penalty against Cignet Health in Prince George’s County, Maryland and then two days later, HHS levied another one million dollar settlement against Massachusetts General Hospital in the same type of HIPAA privacy complaint.
Dr. Polack: What exactly did they do? Was it one of these accidental breach of information where someone took a laptop and lost it or what exactly happened in the case of Cignet?
Mike Meikle: Well with Cignet, the issue basically revolved around the fact that the organization was denying 41 patients access to their medical records when they had requested them, and this was between September 2008 and October 2009.
So what the patients did, and the HITECH Act and HIPAA encourages this, they filed individual complaints about this to Health and Human Services. Then of course HHS decided to investigate.
Well, what really added fuel to the fire was that Cignet refused to cooperate with HHS when HHS requested records from Cignet. Instead of sending the 41 records to the organization they backed up a truck full of thousands of medical records and had HHS sort through them for the 41 they needed, and then they basically stonewalled and obfuscated and kind of skated around the issue and finally HHS got so fed up that they went ahead and penalized them for the $4.3 million.
So that was a huge wakeup call to the healthcare provider – large healthcare provider industry. It was just unheard of for this level of penalty to be levied.
Dr. Polack: And this was a civil penalty, right? This is not just a fine or a fee.
Mike Meikle: Yeah, it was a civil monetary penalty.
Dr. Polack: And in the case of Massachusetts General?
Mike Meikle: Well this is another interesting issue, and like you had just mentioned, so how did it get lost – was it stolen? Was the laptop taken? Did somebody leave a backup tape in a car? Well, what really happened here was an employee of Mass General left documents on the subway and in the documents there was protected health information of 192 patients that had been diagnosed with HIV and AIDS and also had medical record numbers, health insurance and policy numbers, date of birth, of course with name, and they were never recovered.
So HHS stepped in and levied the one million dollar fine on Mass General and then of course they had to do a corrective action plan and they had to basically do a whole comprehensive set of policy and procedure adjustments to protected PHI because this is not in the actual business practices of the organization.
So not only did they get this one million dollar fine but they had to retool their business processes and technology processes to protected PHI which they hadn’t been addressing. So there was an additional cost which is now reported........