Portland Personal Injury Law Blog

In 1999, the Institute of Medicine stated that preventable medical errors contributed to tens of thousands of deaths in U.S. hospitals every year. We’re now more than a decade out from that revelation, and a new study has found that we aren’t out of the woods yet. In fact, it could be worse.

A team of researchers from the Institute for Healthcare Improvement, a Cambridge, Massachusetts think tank, says those numbers might actually be 10 times as bad as previously thought.

Dr. David C. Classen, a professor at the University of Utah, and his colleagues, employed a new method known as the Global Trigger Tool to look for adverse outcomes. They reviewed the medical records for 795 patients at three large U.S. hospitals which had, as they say, "well-established operational patient safety programs."

The researchers scanned the patients’ paperwork to look for something that indicated there were problems. This may have included things such as a stop order on medication, an abnormal lab result or using an antidote. When these so-called “triggers” were discovered, the researchers investigated in more detail to see whether there had been an adverse event, and how severe it was.

They detected 354 adverse events among the 795 patients, which was 10 times more than what other methods found.

"Our study suggests that despite sizable investments and aggressive promotional efforts by local hospitals, these reporting systems fail to detect most adverse events," wrote researchers.

The researchers noted that the larger results may be due in part to the fact that the Global Trigger Tool defines adverse events more broadly than earlier studies. However, they also said the number could be low, since examining medical records isn’t as effective as observing care in person.

Chock one up for privacy advocates. It’s come to light that last October, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) notified Cignet Health of Prince George’s County, Maryland that they violated the rights of 41 patients when they denied them access to their own medical records. They were requested between September 2008 and October 2009.

"Ensuring that Americans’ health information privacy is protected is vital to our health care system and a priority of this Administration. The U.S. Department of Health and Human Services is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule," said HHS Secretary Kathleen Sebelius.

The Office for Civil Rights issued a Notice of Final Determination finding that Cignet Health violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

HHS has imposed a civil money penalty (CMP) of $4.3 million for the infractions – this was the first CMP issued by the department for a covered entity’s violations of the HIPAA Privacy Rule. The investigations were initiated after the patients individually filed complaints with the Office for Civil Rights.

Once the investigation commenced, Cignet immediately stonewalled the OCR’s efforts. The company refused to respond to OCR’s requests to produce the records. They also didn’t cooperate when the office came with a subpoena, which cost them $1.3 million.

The HIPAA Privacy Rule is quite clear: it requires that a covered entity provide a patient with a copy of their medical records within 30 days (and no later than 60 days) of the patient’s request.

OCR filed a petition to make sure its subpoena was enforced in United States District Court and obtained a default judgment against Cignet on March 30, 2010.

But the obstruction didn’t stop there. Apparently Cignet didn’t just refuse to respond to OCR’s demands to produce the records, the Office for Civil Rights says that Cignet failed to cooperate with the OCR’s investigations daily from March 17, 2009, to April 7, 2010. Finally, Cignet got the medical records to the OCR on April 7, 2010.

The Office for Civil Right said that Cigna’s failure to cooperate was due to the company’s willful neglect to comply with the Privacy Rule. Since they were required under law to cooperate with the investigations, the civil money penalty for the violations is $3 million.

"Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements," said OCR Director Georgina Verdugo. "The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules."

If you think that someone has violated your health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule, you are well within your rights to file a complaint with the Office for Civil Rights.