Knowledge.

It’s Time for Healthcare Organizations to Get Serious About HIPAA and HITECH

Earlier this year, Connecticut Attorney General Richard Blumenthal filed the first known HIPAA lawsuit at the state level. He filed against Health Net of Connecticut Inc. for allegedly failing to secure patients’ private records, including medical and financial information, resulting in a breach that allegedly affected nearly 446,000 customers. Three Months later AG Blumenthal followed up and filed a lawsuit against Griffin Hospital of Derby CT. for HIPAA and HITECH violations. From February 4th to March 5th, Griffin conducted an investigation that revealed a former radiologist, who was contracted with the hospital, used passwords of other radiology staff to access roughly 957 patient radiology reports on Griffin's PACS system. These reports included the patients name, exam date, exam description, gender, age, medical record number, and date of birth. Of those 957 medical records accessed, the hospital confirmed that the former employees downloaded the image files of roughly 339 patients.

With the new powers now available to state attorney generals to enforce HIPAA/HITECH, it is time for healthcare organizations to finally start taking notice and work towards becoming compliant with HIPAA and HITECH. The days of organizations ignoring HIPAA because they were either two small to be noticed or just being willfully neglectful are over. The new fine structures, coupled with the ability now of patients bringing civil lawsuits against an organization responsible should cause any privacy officer, CISO, or CIO to be very concerned and take notice. It's not a matter of ‘if’, but ‘when’ they will be audited by the Office of Inspector General. It's not too late to take the necessary steps to build a roadmap to compliance for HIPAA and HITECH, even if you cannot remediate every gap uncovered at once. With Phase 1 of Meaningful Use going into effect early next year, and with organizations looking to get back higher reimbursement rates, organizations should look to use some of those increased revenue streams to build their compliance roadmaps and ensure the security and privacy of their electronic Patient Medical Information.