The United States Department of Health & Human Services (HHS) recently announced its first-ever civil monetary penalty for violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. On February 22, HHS reported that it assessed $4.3 million against Cignet Health of Prince George’s County, Md. Two days later, HHS disclosed a $1 million settlement with Massachusetts General Hospital to resolve a HIPAA privacy complaint.

Background on HIPAA and the HITECH Act

The HIPAA Privacy Rule protects personal health information held by covered entities such as hospitals, clinics, laboratories, pharmacies, dentists, and many others that provide medical, dental or mental health care or treatment. Although the Privacy Rule gives patients an array of rights with respect to that information, the rule is intended to permit disclosure of personal health information needed for patient care and other important purposes. HHS enforces HIPAA.

In 2009, Congress authorized increased penalties and outlawed additional behavior in the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act established four categories of violations to address increasing levels of culpability on the part of covered entities, by increasing civil monetary penalties, and by requiring that HHS base penalties on the nature and extent of the violation and of the resulting harm. The HITECH Act’s tiered penalty structure significantly increased the potential liability of covered entities. The new law also eliminated certain defenses that were previously available to covered entities.

Cignet Penalized for Violating HIPAA and Refusing to Cooperate

According to HHS, Cignet violated HIPAA by improperly denying 41 patients access to their medical records requested between September 2008 and October 2009. Many of these patients filed individual complaints with HHS, which initiated investigations. Cignet refused to cooperate with HHS’s investigations or to produce records in response to a subpoena. After HHS enforced the subpoena in federal court, Cignet produced the medical records, but made no further efforts to resolve the complaints.

HHS calculated the $4.3 million penalty based on the new violation categories and increased penalties authorized under the HITECH Act. Accordingly, HHS imposed a $1.3 million penalty for violation of the HIPAA rule that requires a covered entity to provide patients with their medical records within 30 (and no later than 60) days, and $3 million for failing to cooperate HHS in its investigations.

Mass General Settles HIPAA Claims

On the heels of the Cignet penalty, HHS announced that Mass General had agreed to pay a $1 million dollar settlement for HIPAA violations. In March 2009, a Mass General employee accidentally left documents on a subway train, including documents that contained the protected health information (PHI) of 192 patients, some of whom were diagnosed with HIV/AIDS. The documents contained the name, date of birth, medical record number, health insurer and policy number, diagnosis, and name of providers for 66 patients as well as the names and medical record numbers of all 192 patients. The documents were never recovered.

In addition to paying the government $1 million, Mass General also entered into a corrective action plan, requiring the hospital to: (a) implement a comprehensive set of policies and procedures to protect PHI that is removed from hospital premises; (b) train employees on these policies and procedures; and (c) review and update the policies annually.

While details of the settlement negotiations were not made public, the enhanced penalty provisions enacted as part of the HITECH Act in 2009 likely played a prominent role in the settlement.

Lessons Learned

Health care employers can expect HHS to continue its HIPAA enforcement efforts and to use its authority under HITECH to impose penalties or negotiate high dollar settlements with covered entities that violate HIPAA’s Privacy Rule. Covered entities will be held strictly liable for HIPAA violations; as seen in the Mass General case, even accidental violations are punishable.

Upon discovery of a potential HIPAA violation, health care organizations should take immediate steps to mitigate or correct the violation. Furthermore, covered entities should cooperate with HHS investigations to limit penalties of up to $50,000 per violation. The Cignet example demonstrates that HHS can and will impose penalties on covered entities that commit egregious violations of HIPAA and refuse to cooperate with investigations.

Additionally, the Mass General settlement shows that HHS expects all covered entities to implement policies and procedures addressing removal of PHI from hospital premises. Such removal should occur only when absolutely necessary, and the PHI should be rigorously safeguarded, including by encryption. Health care organizations should implement a comprehensive HIPAA training program for all employees that is well-documented and consistent with organizational policies and current legal requirements.

If you have any questions about the information in this posting please contact the Foster Pepper Employment and Labor Relations Practice Group or the Foster Pepper Health Care Practice Group.