Dr. Polack: This is Peter J. Polack, M.D.
with Medical Practice Trends and in our podcast today our guest is Mike Meikle of Hawkthorne
Group consulting firm. So welcome Mike! Mike Meikle: Good afternoon sir!
Dr. Polack: Today we are going to be talking about recent changes in the enforcement of
the HITECH Act. So this is something that physicians want to really pay attention to,
although right now it doesn’t seem to be an issue, we need to be aware that there’s
certainly some significant potential penalties – is that right?
Mike Meikle: That’s correct – $50,000.00 per record breach.
Dr. Polack: Well, can you talk to us a little bit about this recent case that occurred and
what are the implications for the typical medical practice?
Mike Meikle: Certainly. Very recently, or up until this year, the HIPAA – the Health
Information Portability and Accountability Act, which has been around since 1996, though
didn’t have a lot of teeth in the overall law, most medical practices and even large
healthcare providers sort of recognized it was there about protected health information
but they really didn’t put in their standard business process and practices to be concerned
about it. But with the advent of the HITECH Act in 2009,
the enforcement of HIPAA has become more prevalent, and in February of this year, Health and Human
Services assessed a $4.3 million penalty against Cignet Health in Prince George’s County,
Maryland and then two days later, HHS levied another one million dollar settlement against
Massachusetts General Hospital in the same type of HIPAA privacy complaint.
Dr. Polack: What exactly did they do? Was it one of these accidental breach of information
where someone took a laptop and lost it or what exactly happened in the case of Cignet?
Mike Meikle: Well with Cignet, the issue basically revolved around the fact that the organization
was denying 41 patients access to their medical records when they had requested them, and
this was between September 2008 and October 2009.
So what the patients did, and the HITECH Act and HIPAA encourages this, they filed individual
complaints about this to Health and Human Services. Then of course HHS decided to investigate.
Well, what really added fuel to the fire was that Cignet refused to cooperate with HHS
when HHS requested records from Cignet. Instead of sending the 41 records to the organization
they backed up a truck full of thousands of medical records and had HHS sort through them
for the 41 they needed, and then they basically stonewalled and obfuscated and kind of skated
around the issue and finally HHS got so fed up that they went ahead and penalized them
for the $4.3 million. So that was a huge wakeup call to the healthcare
provider – large healthcare provider industry. It was just unheard of for this level of penalty
to be levied. Dr. Polack: And this was a civil penalty,
right? This is not just a fine or a fee. Mike Meikle: Yeah, it was a civil monetary
penalty. Dr. Polack: And in the case of Massachusetts
General? Mike Meikle: Well this is another interesting
issue, and like you had just mentioned, so how did it get lost – was it stolen? Was
the laptop taken? Did somebody leave a backup tape in a car? Well, what really happened
here was an employee of Mass General left documents on the subway and in the documents
there was protected health information of 192 patients that had been diagnosed with
HIV and AIDS and also had medical record numbers, health insurance and policy numbers, date
of birth, of course with name, and they were never recovered.
So HHS stepped in and levied the one million dollar fine on Mass General and then of course
they had to do a corrective action plan and they had to basically do a whole comprehensive
set of policy and procedure adjustments to protected PHI because this is not in the actual
business practices of the organization. So not only did they get this one million
dollar fine but they had to retool their business processes and technology processes to protected
PHI which they hadn’t been addressing. So there was an additional cost which is now
reported. Dr. Polack: So what’s the take-home message
here for the typical medical practice? What are some of the things that you would recommend
that they would do because actually you just mentioned having policies and procedures,
that’s certainly something that the government would look at to make sure that at least you
have guidelines in place to prevent this sort of thing.
Mike Meikle: That’s correct. Most of the guidelines and recommendations in HIPAA and
HITECH are not technology-specific. It’s not a technological solution. Technology assists
in complying but really it’s about business processes and procedures.
If you look at how information gets stolen from any organization, and this is even outside
healthcare theft, it’s theft of laptops, theft of USB drives, theft of actual paper
records like in the case of Mass General being kind of carelessly left in a subway.
So what organizations have to do, healthcare organizations, is to train their employees
about PHI – Protected Health Information or e-PHI – the electronic Protected Health
Information, how to properly work with the information, how to protect it, understand
it and also impart on the employees the risks and the ramifications of losing PHI to the
organization, how they can really undermine the viable business model of an organization
if they have too large of a breach, and that once again it’s a business process and training
your employees goes a long way. And of course with the technology piece, if
you have electronic information encryption of your storage media and also an effective
Asset Management Program. So if your laptop walks away you actually know your laptop’s
gone, or how many laptops you have in your practice – do you know? Well you should
know and making sure that those hard drives on the laptop are encrypted and also have
the ability potentially to do a remote wipe of device, an ability to track where that
device is if it happens to fall out of a physician or nurse’s hands and that you can actually
know where it’s gone. If someone logs onto the internet you know where it is. You can
remote wipe it. So once again, there’s a lot of ways technology
can facilitate compliance but the basic training of your employees is very important.
Dr. Polack: Okay, well very good. Thanks very much.
Mike Meikle: No problem, sir.