We can add one more “oops” to the Department of Health and Human Services (DHHS) repertoire of “oopses.” I am reminded of Captain Edward Smith when he banged the Titanic into an iceberg. Talk about an “oops” moment. Not to mention the lives lost, hitting that iceberg cost $7.5 million in ship building costs back in 1909.
DHHS hit another iceberg yesterday. How much will this “oops” costs?
DHHS made its “oops” by sending 48,752 new Medicaid cards to the WRONG people. Oops! Medicaid cards have HIPAA protected information on them, such as names, Medicaid numbers and dates of birth.
Let me tell you a little about HIPAA. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996 (HIPAA). It was signed into law by Bill Clinton, Title II of HIPAA requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Why is this important? This act also provides significant penalties if privileged information is disseminated.
Hence the DHHS Medicaid card debacle. Iceberg, ahoy! “Oops I did it again!”
The questions are (1) how much will NC be penalized for the dissemination of so much private information; and (2) will NC actually have to pay the penalty?
Recently, HIPAA was revamped. Beginning September 2013, HIPAA became even more stringent with harsher penalties and began to apply to more people (including law firms). For example, prior to September 2013, my firm Williams Mullen treated my documents received from clients the same as all other privileged information in our firm. Obviously, almost everything at a law firm is confidential. Now I have to lock my door (we had to install a lock) anytime I leave my office, even for lunch. Bright yellow flags have been added to all my files that contain privileged health information (PHI), which is every file. My partners cannot access my documents on our computer network system unless granted access. I feel like Edward Snowdon.
I also remember a story about a nurse who worked at a hospital. Her husband was admitted into the ER while she was on her shift and she looked up his condition on the computer. She was fired for violating HIPAA.
How bad can it be?
The feds imposed a penalty of $4.3 million against Cignet Health of Prince George’s County, MD, for HIPAA violations in 2011. Oops!
And, in light of the “new HIPAA,” last week, DHHS disseminates privileged information to 48,752 people.
What are the penalties for violating HIPAA?
There are four violation categories (1) did not know; (2) reasonable cause; (3) willful neglect-corrected; and (4) willful neglect-not corrected. Here are the penalties:
Assuming DHHS’ HIPAA violation is the least severe, “did not know,” DHHS could be liable for $100-$50,000 per violation. Here, there are, at least, 48,752 violations. So we are talking a penalty anywhere from $4,875,200 to a number bigger than my calculator allows.
Thankfully for DHHS and, ultimately, our tax dollars, there are caps to HIPAA penalties. There is a $1.5 million cap per calendar year.
However, DHHS could be liable for multiple violations of multiple provisions and a violation of each provision can be counted separately. So, theoretically, DHHS could be liable for multiple violations of up to $1.5 million cap for each violation, which would result in a total penalty well above $1.5 million.
Oops!
The other question is whether the federal government will hold a state liable for such HIPAA violations. I don’t know the answer to this, but it would seem fundamentally unfair if HIPAA applies to people and companies, but not the state.
Then, again, how many of you want our tax dollars going toward paying these HIPAA penalties?
You can also see this story on WRAL. (Yes, I was interviewed 
)
Will Aldona Wos also have a $7.5 million “oops” like Captain Smith? Because, regardless who committed the “oops,” Wos is captain of the ship. It is believed that Capt. Smith went down with the Titanic.
