Robert Tennant, senior policy advisor at MGMA, laid out the details of a number of enforcement actions taken by HHS against provider organizations with data breaches and access infractions. In one case, Cignet Health Care in Maryland ignored at least 41 patient requests for access to their health records. Cignet eventually was hit with $4.3 million in fines. In another, Massachusetts General Hospital settled for $1 million after a staff member had left a device with patient information on the subway.
Tennant outlined a series of steps that group practices should take to stay compliant with the law, ranging from completing a security assessment (required under meaningful use stage 1 meaningful use) to writing policies to cover data security. “It is important to task the risk analysis seriously,” he said. “CMS will go back to folks who have attested for meaningful use and ask for their risk analysis. If you don’t have it, they may take the money back and you may be at risk for false claims.”
Practices should also revisit their patient privacy notices, a requirement under HIPAA. A practice that has moved to an electronic health record, or joined a health information exchange, should update their notice to reflect that, Tennant advised. Some other privacy/security steps are easy to take, but many fail to do them. One is encrypting laptops and portable devices. Tennant likened data encryption to a “get out of jail free” card, meaning that if a device containing protected health information is lost, but is encrypted, the government does not consider it a high-risk episode and the breach does not have to be publicly reported. “Any data moving outside the practice should be encrypted,” he said. “That solves a lot of problems.”