Don't view HIPAA fines as cost a of doing business


If anyone doubted that there is a cost to ignoring privacy regulations, $5.3 million in penalties doled out last week for violations of the Health Insurance Portability and Accountability Act (HIPAA) should put such doubt to rest. Not only is the government pursuing enforcement, but it is going to come down particularly hard on organizations that don't take it seriously.

Cignet Health was fined $4.3 million by the U.S. Department of Health and Human Services for violating privacy provisions in HIPAA. Cignet failed to give 41 patients access to their records when requested, and then it failed to cooperate with HHS when the agency came to investigate. While the records violation cost Cignet $1.3 million, it was the lack of cooperation that brought the fine to $4.3 million.

The agency last week also wrapped up a HIPAA privacy case against Massachusetts General Hospital. The hospital agreed to pay $1 million to settle a case in which a hospital employee accidentally left documents with protected health data of 192 patients on the subway in March 2009. Under a Corrective Action Plan, it will have to designate a director of internal audit to assess compliance and issue reports to HHS for the next three years.

HIPAA has been around so long that compliance was beginning to look like more trouble than it was worth. There was little indication, until now, that the government was going to enforce the regulations. The penalty against Cignet was the first civil monetary penalty for privacy violations issued since the law went into effect. 

The example made of Cignet and Mass. General should prompt other businesses to start taking data privacy more seriously. For those charged with safeguarding an organization's information, the imperative of investing in the technology, processes and training needed to ensure data privacy is not difficult to understand; the difficulty has been in translating that imperative to those focused solely on boosting the bottom line.

For health insurers, a $4.3 million fine may have little impact on the bottom line in the short term, but nobody should view it as a cost of doing business. Such added expenses exacerbate a climate of bloated costs, inefficiencies and waste in the healthcare industry. The cost of the penalties will be factored into patients' bills, meaning that consumers end up paying twice when their confidential data is breached. Talk about adding insult to injury. That is not the kind of publicity the industry needs. - Caron