Comments (13) | Add a comment
UMC risking steep fines over patients' privacy
Tools
LAS VEGAS REVIEW-JOURNAL
Updated: Apr. 10, 2012 | 10:04 a.m.
Because of recent changes in federal law, University Medical Center could face steep fines over allegations of violations of patients' privacy.
One part of the economic stimulus law enacted in February calls for federal agencies to impose fines as high as $1.5 million on medical providers who inadequately protect patients' data.
Fines jumped from $100 per violation to as much as $50,000 each for the most willful negligence. Penalties are capped at $1.5 million total for offenses within a calendar year.
The new rules went into effect in September but cover any infractions that happened after the American Recovery and Reinvestment Act was signed into law on Feb. 17.
Last week, hospital executives were alerted to accident victims' personal information being dispensed to local attorneys who could use it to solicit business from these patients. A more pressing concern is that the pilfered data could lead to identity theft.
Officials suspect at least one employee is behind the scheme.
Clark County Commissioner Susan Brager said it would be a shame if the hospital is slapped with heavy fines for the misdeeds of one or two workers. "That would be very unfortunate."
Hospital spokesman Rick Plummer said UMC is following the federal guidelines. "The only way UMC would face fines or penalties is if we had confirmed evidence of a breach and chose to do nothing."
The U.S. Department of Health and Human Services' civil rights office is in charge of investigating and punishing lapses in security while the Justice Department investigates the crimes.
Those who run afoul of the Health Insurance Portability and Accountability Act, also known as HIPAA, can be fined a maximum of $250,000 and jailed for up to 10 years.
The FBI has begun an investigation into UMC's security breach. The new rules allow state attorneys general to get involved in some instances, even though HIPAA is a federal law.
Still, Edie Cartwright, state attorney general spokeswoman, said her office has no plans to jump in unless invited.
"This a federal issue. This a federal investigation," Cartwright said. "There are no state statutes being violated."
Federal fines for a HIPAA breach are divided into four tiers, all capped at $1.5 million:
• If the hospital shows it didn't know about security leaks, even though it made a good-faith effort to ferret them out, it faces fines of $100 to $50,000 per violation.
• If the violation resulted from a reasonable cause with no willful neglect, the hospital could be fined $1,000 to $50,000 for each offense.
• If federal officials determine the hospital was negligent but fixed the problems within 30 days, the fines would run $10,000 to $50,000 per violation.
• If it takes longer than 30 days, the fines start at $50,000.
An internal audit of UMC in September noted the tougher fines and enforcement under the new laws.
County Auditor Jerry Carroll, although rating the hospital a relatively high 82 percent for HIPAA compliance, observed flawed safeguards.
Patient records were left unattended on desks or on computer screens, he wrote. Outgoing e-mails containing sensitive data were not encrypted.
Many employees didn't record information that was disclosed to third parties, creating the possibility for identity theft, Carroll said. This type of reporting helps pinpoint who was authorized to receive the data and who was not, he said.
"However, UMC is currently unable to provide patients with a meaningful report," Carroll wrote.
Failing to comply with privacy laws can lead to litigation as well as fines, he said.
Lawsuits based on HIPAA violations are springing up across the country.
Last year a Minnesota resident's lawsuit against a county hospital led to a federal judge recommending that the hospital settle and pay all legal costs. The same year, a man whose identity was stolen by a hospital employee sued six financial institutions and won.
In 2002, the year before HIPAA became law, a team of attorneys wrote a report stating how HIPAA could yield huge damage awards. They predicted that patient privacy could be the next tobacco litigation.
An employee who deliberately discloses data and a hospital's faulty policies and procedures are high on the list of factors that could result in big settlements, they wrote.
UMC is wrestling with both.
Contact reporter Scott Wyland at swyland@reviewjournal. com or 702-455-4519.
Trending topics:
Comments
Terms & Conditions
The following comments are provided by readers and are the sole responsiblity of the authors. The Review-Journal does not review comments before publication nor guarantee their accuracy. By publishing a comment here you agree to abide by the comment policy. If you see a comment that violates the policy, please use the Report Abuse button.
Some comments may not display immediately due to an automatic filter. These comments will be reviewed within 24 hours. Please do not submit a comment more than once.
Note: Comments made by reporters and editors of the Las Vegas Review-Journal are presented with a yellow background.
RSS
Twitter
Facebook
Not only is this house of idiots leaking money, the "leaders" in the Commission think it tragic if UMC is held culpable for not doing its job. Are Commissioners drug tested? Being high is the only excuse I can think of for the behavior of these fools.
I would be extremely angry if my private information was sold to some lawyer for profit. If I were injured and needed a lawyer for anything, I would find a lawyer myself and would report any lawyer who contacted me first to the State Bar. I think the UMC employees need to be fired, and prosecuted. UMC administrators need to be fired. UMC needs to be fined as it is difficult to believe they had no idea this was going on when lots of people knew this was going on and was why the laws were enacted. The lawyers involved need to be fined, and disbarred. Unless and until drastic and severe sanctions are imposed on ALL involved, this will not stop. And if anyone thinks it's only happaening at UMC, there is a bridge in Brooklyn I can sell you.
Let me get this straight. UMC can pay $2 million a month for free dialysis for 80 illegal aliens, but if they disclose they're illegal, they get fined $1.5 million?
What country am I living in? Whatever happened to reality?
So, what happens to the attorneys who got this ill gotten information?