HHS/OCR’s First Million Dollar Breach Violation Fine!

We all knew that one of these days HHS/OCR would start using the new fine structure under the HITECH privacy & security rules to hand down punishment to violators for loss of PHI when they find lack of compliance to the rules. Well, the wait is over (http://www.hhs.gov/ocr/privacy/hipaa/news/mghnews.html) and Mass General Hospital is the unlucky first covered entity earning this undesirable distinction on 2/14/2011.

After reviewing the resolution agreement between the hospital and OCR, I realized that the fine doesn't tell the whole story. The PHI data breach and lack of compliance to the HIPAA privacy and security rules put the hospital in a position to agree to a stringent Corrective Action Plan (CAP) for a number of years to come. The hospital now has the burden to get OCR's approval for any on-going development and changes to its privacy and security policies and safeguards, perform audits and report any and all finding to OCR. Hospital executives have to attest to the implementation of the CAP. They have to designate a Monitor with credentials & sufficient resources to implement the deficiencies outlined in the CAP and to communicate status to OCR for the duration of the CAP. OCR can even remove the Monitor if it thinks that she is not doing a good job or does not have the right qualification.

The lesson from this situation is that if you suffer a PHI data breach, you better be able to show to OCR that you were following the rules because the ramification of non-compliance goes far beyond any fines.  And if you are participating in the Meaningful Use incentive program, you now have a major obstacle in your effort to qualify for those funds.  In short, you can lose control of your compliance program and unwittingly invite the government to prescribe what you have to do and when and how.  No organization would willingly bring this upon itself, or would they?