Two recent actions by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) suggest we have entered a new era of more stringent enforcement of the privacy and security standards under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Covered entities, particularly those in the healthcare industry, should be vigilant in their HIPAA compliance efforts in order to avoid paying sizeable penalties.
For the first time, OCR, which is charged with enforcing HIPAA's privacy and security standards, has imposed a civil money penalty under HIPAA. In a press release dated February 22, 2011, OCR announced that Cignet Health of Maryland was fined a total of $4.3 million for ignoring requests for medical records from 41 individuals and for failing to cooperate with OCR's investigation of 27 related complaints.
Two days later, OCR announced a $1 million settlement with Massachusetts General Hospital after an employee left documents containing patients' health information on the subway. OCR's investigation indicated that the hospital "failed to implement reasonable, appropriate safeguards to protect the privacy of protected health information." As part of the settlement, the hospital agreed to issue new HIPAA policies and procedures and conduct employee training.
HIPAA originally capped penalties at $100 per day and $25,000 for the same violation in any one year. HHS investigated complaints in its discretion and entered into compliance agreements, but was criticized for not doing enough to enforce HIPAA.
In 2009, the Health Information Technology and Clinical Health Act (HITECH) significantly increased the potential monetary penalties for HIPAA violations to a minimum of $100 and a maximum of $50,000 per day, up to a maximum of $1.5 million for the same violation in any one year. In addition, HITECH requires OCR to investigate complaints and perform compliance audits and authorizes state attorneys general to enforce HIPAA.
The new penalty scheme provides for tiered penalty amounts based on the nature and extent of the violations, the nature and extent of the resulting harm, and the violator's history of compliance, among other factors. OCR has stated that the failure of an organization to implement adequate privacy and security policies and procedures may cause investigators to conclude that the organization has a higher level of culpability, which may result in a higher penalty.
In the Cignet Health case, OCR imposed the minimum penalty of $100 per day for each failure to respond to patients' requests for medical records. However, OCR assessed the maximum penalty of $50,000 per day (capped at $1.5 million per year) for Cignet's failure to cooperate with OCR's investigation, including ignoring a subpoena.
In connection with its settlement agreement with Massachusetts General Hospital, the director of OCR, Georgina Verdugo, said, "We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement."
Covered entities in the healthcare industry are obvious targets of OCR's stepped-up enforcement efforts; however, all covered entities, including employer-sponsored health plans, can learn important lessons from OCR's actions. These cases demonstrate the importance of the following:
Even the minimum penalties under HIPAA can add up quickly and, by its recent actions, OCR has indicated that it will not tolerate a lack of seriousness when it comes to HIPAA compliance by covered entities.
For information about HITECH-compliant HIPAA privacy and security policies and procedures and employee training programs appropriate for your organization, please contact any of the Morgan Lewis attorneys listed below.