On Feb. 22, 2011, the U.S. Department of Health and Human Services (HHS)
Office for Civil Rights (OCR) announced that it had issued a civil money penalty
(CMP) of $4.3 million against Cignet Health of Prince George’s County, MD., the
first imposition of a CMP by OCR for a violation of the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. Two days later,
HHS announced that General Hospital Corporation and Massachusetts General
Physicians Organization, Inc., collectively referred to as Mass General, agreed
to pay $1 million to settle potential violations of the HIPAA Privacy Rule.
OCR Issues its First Civil Monetary Penalty for a Violation of the HIPAA
On Feb 22, 2011, HHS announced that OCR has issued a Notice of Final
Determination ordering Cignet to pay a CMP of $4.3 million. HHS’ imposition of
this penalty represents the first CMP issued by HHS for a covered entity’s
violation of the HIPAA Privacy Rule. The HITECH Act expanded HHS’ ability to
issue CMPs and increased the maximum penalty amount from $25,000 to $1.5 million
for all violations of an identical provision.
OCR determined that Cignet had violated the law both because it violated the
rights of patients, and because it failed to cooperate with OCR’s investigation.
OCR found that Cignet violated the rights of 41 patients by denying them access
to their medical records. The HIPAA Privacy Rule generally requires that a
covered entity provide a patient with a copy of the patient’s medical records
within 30 days of the patient’s request. In addition to imposing sanctions on
Cignet for failing to provide patients with access to their medical records, OCR
also penalized Cignet for its failure to cooperate with OCR’s investigation. OCR
found that Cignet failed to cooperate with OCR’s investigation, in violation of
the law, on a continuing daily basis from March 17, 2009 to April 7, 2010.
The CMP of $4.3 million is comprised of a CMP of $1.3 million for Cignet’s
violations of patient privacy rights, and a CMP of $3 million for Cignet’s
failure to cooperate.
The Million Dollar Subway Ticket
On Feb. 24, 2011, OCR announced that Mass General had agreed to pay $1
million to settle a potential HIPAA violation. Mass General entered into a
Resolution Agreement with HHS that requires it to develop and implement a
comprehensive set of policies and procedures to safeguard the privacy of its
patients. As part of the settlement, in addition to paying $1 million, Mass
General must implement a three-year corrective action plan. Mass General did not
admit liability or wrongdoing.
The settlement follows an extensive investigation by OCR. According to the
Resolution Agreement, the settlement relates to a 2009 incident in which a
hospital employee misplaced documents containing protected health information,
including information of patients with HIV/AIDS. The Resolution Agreement
indicates that while commuting to work on the subway, the employee removed
documents containing PHI from her bag and placed them on the seat beside her –
upon exiting the train, she left the documents on the subway and they were never
recovered. The documents contained the name, date of birth, medical record
number, health insurer and policy number, diagnosis, and name of provider for 66
patients and the practice’s daily office schedules for three days containing the
names and medical record numbers of 192 patients. The documents were not in an
envelope and were bound with a rubber band.
The Future of HIPAA Enforcement
HHS has now sent a clear message to entities bound by HIPAA – HIPAA must be
taken seriously. Indeed, in the HHS press release related to the Mass General
incident, OCR Director Georgina Verdugo indicated that entities bound by HIPAA
must ensure they have an effective compliance plan in place in order to avoid
enforcement penalties. Specifically, Verduga stated, “[w]e hope the health care
industry will take a close look at this [Mass General Resolution] agreement and
recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s
responsibility to protect its patients’ health information.” Verdugo further
opined, “[t]o avoid enforcement penalties, covered entities must ensure they are
always in compliance with the HIPAA Privacy and Security Rules. A robust
compliance program includes employee training, vigilant implementation of
policies and procedures, regular internal audits, and a prompt action plan to
respond to incidents.”
In light of OCR’s clearly articulated intention to aggressively enforce the
HIPAA Privacy and Security Rules, covered entities and business associates
should review their current HIPAA compliance programs. Such a review should
include consideration of the organization’s plan documents, training program(s),
documentation management systems and organizational readiness for a HIPAA audit.
McGuireWoods has extensive experience as counsel to a broad range of covered
entities and business associates. For more information on this topic, or for
guidance to help ensure compliance, please contact us.