HHS Puts Industry on Notice: OCR is Serious About HIPAA Enforcement

March 2, 2011

On Feb. 22, 2011, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it had issued a civil money penalty (CMP) of $4.3 million against Cignet Health of Prince George’s County, MD., the first imposition of a CMP by OCR for a violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. Two days later, HHS announced that General Hospital Corporation and Massachusetts General Physicians Organization, Inc., collectively referred to as Mass General, agreed to pay $1 million to settle potential violations of the HIPAA Privacy Rule.

OCR Issues its First Civil Monetary Penalty for a Violation of the HIPAA Privacy Rule

On Feb 22, 2011, HHS announced that OCR has issued a Notice of Final Determination ordering Cignet to pay a CMP of $4.3 million. HHS’ imposition of this penalty represents the first CMP issued by HHS for a covered entity’s violation of the HIPAA Privacy Rule. The HITECH Act expanded HHS’ ability to issue CMPs and increased the maximum penalty amount from $25,000 to $1.5 million for all violations of an identical provision.

OCR determined that Cignet had violated the law both because it violated the rights of patients, and because it failed to cooperate with OCR’s investigation. OCR found that Cignet violated the rights of 41 patients by denying them access to their medical records. The HIPAA Privacy Rule generally requires that a covered entity provide a patient with a copy of the patient’s medical records within 30 days of the patient’s request. In addition to imposing sanctions on Cignet for failing to provide patients with access to their medical records, OCR also penalized Cignet for its failure to cooperate with OCR’s investigation. OCR found that Cignet failed to cooperate with OCR’s investigation, in violation of the law, on a continuing daily basis from March 17, 2009 to April 7, 2010.

The CMP of $4.3 million is comprised of a CMP of $1.3 million for Cignet’s violations of patient privacy rights, and a CMP of $3 million for Cignet’s failure to cooperate.

The Million Dollar Subway Ticket

On Feb. 24, 2011, OCR announced that Mass General had agreed to pay $1 million to settle a potential HIPAA violation. Mass General entered into a Resolution Agreement with HHS that requires it to develop and implement a comprehensive set of policies and procedures to safeguard the privacy of its patients. As part of the settlement, in addition to paying $1 million, Mass General must implement a three-year corrective action plan. Mass General did not admit liability or wrongdoing.

The settlement follows an extensive investigation by OCR. According to the Resolution Agreement, the settlement relates to a 2009 incident in which a hospital employee misplaced documents containing protected health information, including information of patients with HIV/AIDS. The Resolution Agreement indicates that while commuting to work on the subway, the employee removed documents containing PHI from her bag and placed them on the seat beside her – upon exiting the train, she left the documents on the subway and they were never recovered. The documents contained the name, date of birth, medical record number, health insurer and policy number, diagnosis, and name of provider for 66 patients and the practice’s daily office schedules for three days containing the names and medical record numbers of 192 patients. The documents were not in an envelope and were bound with a rubber band.

The Future of HIPAA Enforcement

HHS has now sent a clear message to entities bound by HIPAA – HIPAA must be taken seriously. Indeed, in the HHS press release related to the Mass General incident, OCR Director Georgina Verdugo indicated that entities bound by HIPAA must ensure they have an effective compliance plan in place in order to avoid enforcement penalties. Specifically, Verduga stated, “[w]e hope the health care industry will take a close look at this [Mass General Resolution] agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information.” Verdugo further opined, “[t]o avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules. A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”

In light of OCR’s clearly articulated intention to aggressively enforce the HIPAA Privacy and Security Rules, covered entities and business associates should review their current HIPAA compliance programs. Such a review should include consideration of the organization’s plan documents, training program(s), documentation management systems and organizational readiness for a HIPAA audit.

McGuireWoods has extensive experience as counsel to a broad range of covered entities and business associates. For more information on this topic, or for guidance to help ensure compliance, please contact us.