UMC risking steep fines over patients’ privacy
Because of recent changes in federal law, University Medical Center could face steep fines over allegations of violations of patients’ privacy.
One part of the economic stimulus law enacted in February calls for federal agencies to impose fines as high as $1.5 million on medical providers who inadequately protect patients’ data.
Fines jumped from $100 per violation to as much as $50,000 each for the most willful negligence. Penalties are capped at $1.5 million total for offenses within a calendar year.
The new rules went into effect in September but cover any infractions that happened after the American Recovery and Reinvestment Act was signed into law on Feb. 17.
Last week, hospital executives were alerted to accident victims’ personal information being dispensed to local attorneys who could use it to solicit business from these patients. A more pressing concern is that the pilfered data could lead to identity theft.
Officials suspect at least one employee is behind the scheme.
Clark County Commissioner Susan Brager said it would be a shame if the hospital is slapped with heavy fines for the misdeeds of one or two workers. “That would be very unfortunate.”
Hospital spokesman Rick Plummer said UMC is following the federal guidelines. “The only way UMC would face fines or penalties is if we had confirmed evidence of a breach and chose to do nothing.”
The U.S. Department of Health and Human Services’ civil rights office is in charge of investigating and punishing lapses in security while the Justice Department investigates the crimes.
Those who run afoul of the Health Insurance Portability and Accountability Act, also known as HIPAA, can be fined a maximum of $250,000 and jailed for up to 10 years.
The FBI has begun an investigation into UMC’s security breach. The new rules allow state attorneys general to get involved in some instances, even though HIPAA is a federal law.
Still, Edie Cartwright, state attorney general spokeswoman, said her office has no plans to jump in unless invited.
“This a federal issue. This a federal investigation,” Cartwright said. “There are no state statutes being violated.”
Federal fines for a HIPAA breach are divided into four tiers, all capped at $1.5 million:
• If the hospital shows it didn’t know about security leaks, even though it made a good-faith effort to ferret them out, it faces fines of $100 to $50,000 per violation.
• If the violation resulted from a reasonable cause with no willful neglect, the hospital could be fined $1,000 to $50,000 for each offense.
• If federal officials determine the hospital was negligent but fixed the problems within 30 days, the fines would run $10,000 to $50,000 per violation.
• If it takes longer than 30 days, the fines start at $50,000.
An internal audit of UMC in September noted the tougher fines and enforcement under the new laws.
County Auditor Jerry Carroll, although rating the hospital a relatively high 82 percent for HIPAA compliance, observed flawed safeguards.
Patient records were left unattended on desks or on computer screens, he wrote. Outgoing e-mails containing sensitive data were not encrypted.
Many employees didn’t record information that was disclosed to third parties, creating the possibility for identity theft, Carroll said. This type of reporting helps pinpoint who was authorized to receive the data and who was not, he said.
“However, UMC is currently unable to provide patients with a meaningful report,” Carroll wrote.
Failing to comply with privacy laws can lead to litigation as well as fines, he said.
Lawsuits based on HIPAA violations are springing up across the country.
Last year a Minnesota resident’s lawsuit against a county hospital led to a federal judge recommending that the hospital settle and pay all legal costs. The same year, a man whose identity was stolen by a hospital employee sued six financial institutions and won.
In 2002, the year before HIPAA became law, a team of attorneys wrote a report stating how HIPAA could yield huge damage awards. They predicted that patient privacy could be the next tobacco litigation.
An employee who deliberately discloses data and a hospital’s faulty policies and procedures are high on the list of factors that could result in big settlements, they wrote.
UMC is wrestling with both.
Contact reporter Scott Wyland at swyland@reviewjournal. com or 702-455-4519.
