"That is the kind of violation that happens a lot," he said.
Covered entities need to be paying attention to such issues but often do not, MacKoul said. "It is interesting that the HHS is using the privacy rule," to go after such violations, he said.
Importantly, the fine against Cignet also shows that the HHS is prepared to come down hard on health care companies that show willful neglect in protecting patient data, he said.
"To me it is very significant that they are willing to apply willful neglect [against Cignet] to the tune of $3 million," MacKoul said. "It's one thing when they write it into law. It's a totally different story when they actually enforce it."
"Covered entities should take note," he said.
This week's HIPAA enforcement actions follows news this week of the number of people whose health care data was lost or stolen continuing to soar.
A report released earlier this week by the accounting firm Kaufman, Rossin & Co. showed that in the first year since the HITECH Act was passed, about 5 million people had their personal health information compromised, either as a result of theft or because the data was lost.
A total of 166 data breach incidents (each involving more than 500 individuals) was reported to the HHS as of Sept. 10, 2010. The largest incident involved a lost laptop containing unencrypted protected health information on 1,222.000 individuals, the report said.
Mass. General Hospital did not immediately respond to a request for comment. Cignet could not be reached immediately.
Sign up for CIO Asia eNewsletters.