The Health Information Technology for Economic and Clinical Health ("HITECH") Act of 2009, enacted as part of the American Recovery and Reinvestment Act, significantly changes the landscape of HIPAA civil enforcement. HITECH requires that the Federal government take a much more rigorous approach to enforcement, and imposes steeper civil money penalties ("CMPs") for HIPAA violations.
Although CMPs have always been part of the HIPAA enforcement scheme, until just last month they existed only on paper. On February 22, 2011, the Department of Health and Human Services' ("HHS") Office for Civil Rights ("OCR") – the government agency charged with HIPAA enforcement – announced that it was imposing the first-ever CMP against a covered entity for Privacy Rule violations (Cignet Health of Prince George's County, MD). The CMP was significant - $4.3 million – and covered entities are understandably concerned about what the future of HIPAA civil enforcement holds.
The CMP resulted from OCR's investigation of patient complaints alleging that the covered entity, a health care provider, did not allow the patients to access their medical records. While OCR imposed a sizeable penalty ($1.3 million) for the underlying violations themselves, the greatest part of the CMP – $3 million – resulted from the covered entity's failure to cooperate with the OCR investigation. What's more, despite being given opportunities to do so, the covered entity did not present mitigating evidence or evidence that the alleged violations were due to reasonable cause rather than willful neglect. The OCR's published findings of fact indicate that the covered entity was non-responsive throughout the investigation.
This first HIPAA CMP telegraphs several things to covered entities.
First, because the enforcement process is currently entirely complaint-driven (though this will change when OCR begins to exercise its HITECH audit mandate, perhaps yet this year), covered entities are well-advised to have and to implement robust policies and procedures for allowing individuals to exercise their individual rights to protected health information, such as access, amendment, and accounting of disclosures. Satisfied customers are unlikely to complain. Covered entities should also have and implement policies and procedures that encourage patients and plan participants to bring privacy complaints directly to the covered entity (although covered entities must still inform individuals of their right to complain to OCR) – and to give them comfort that the covered entity takes complaints seriously and works diligently to resolve them without the need for escalation to OCR. Finally, it goes without saying that covered entities should be prepared, with assistance of counsel, to be responsive and cooperative in the event of an OCR investigation or audit.
Enhanced Civil Enforcement Generally
Most covered entities were required to comply with the HIPAA Privacy Rule as of April 14, 2003. OCR carries out its enforcement obligations in several ways: performing education and outreach to foster HIPAA/HITECH compliance; conducting compliance investigations and audits to determine whether covered entities are in compliance; and investigating privacy and security complaints filed with it.
HITECH significantly enhances HIPAA civil enforcement. After HITECH, complaints do not drive the process alone: the Act requires HHS to periodically and proactively audit covered entities and business associates. Although covered entities cannot yet know what the audit process will look like (OCR is expected to publish audit guidelines soon), Susan McAndrew, deputy director for privacy at OCR, has offered important clues. During a May 2010 interview, McAndrew indicated that audits will likely be outsourced rather than conducted by OCR staff. Security audits will focus on whether covered entities have performed the risk assessment for electronic PHI mandated by the Security Rule, while privacy audits will center upon the exercise of individual rights. During comments at the National HIPAA Summit on March 9, 2011, McAndrew stated that audit planning is continuing, and that OCR will likely pilot one or more audit models in 2011.
HHS must now investigate all complaints in which preliminary investigation indicates a possible violation due to willful neglect, and must impose CMPs if it finds that a violation was indeed due to willful neglect.
State attorneys general are authorized to enforce HIPAA on behalf of residents of their state harmed by alleged violations. There have been three such lawsuits to date, both involving security breaches by health insurers and delay in notifying affected participants. There are ongoing AG investigations, as well, which may lead to additional lawsuits.
The first AG action occurred in January 2010, when the Connecticut Attorney General sued a health insurer under HIPAA/HITECH related to the loss of a disk drive containing unsecured PHI and other private information for almost half a million Connecticut residents. The lawsuit settled in July 2010. Under the terms of the settlement, the covered entity is required to pay damages and enter a Corrective Action Plan ("CAP"). The covered entity agreed to pay statutory damages of $250,000, and to make an additional contingent payment of $500,000 if the disk drive is later accessed and private information used to plan participants' detriment. The CAP requires the covered entity to provide identity theft protection; implement enhanced systems controls, management and oversight structure, and employee training; and improve incentives, monitoring, and reports. After the settlement, the AG commended the covered entity for cooperating with the resolution, taking responsibility for the data breach, and committing financial and other resources to remedial actions.
The second AG lawsuit, brought under HIPAA/HITECH and state security breach and consumer fraud law, occurred in January 2011. The Vermont AG filed a complaint and proposed settlement against a health insurer related to the insurer's loss of an unencrypted portable hard drive containing unsecured PHI, social security numbers, and financial information for 525 Vermont residents. The insurer waited six months to notify plan participants of the breach, and when it did it informed them that their risk was "low" because the files were not saved in an easily-accessible format (they were, in fact, saved in TIF format, which is easily viewed with available software). The proposed settlement required that the insurer pay $55,000 to the State – considerably lower than in Connecticut, likely due to the smaller number of people affected – submit to a data-security audit, and report to the State for two years on its information security programs.
The third AG lawsuit, brought exclusively under State law, occurred in October 2010 when the Indiana Attorney General filed a data breach lawsuit against a health insurer. More than 32,000 Indiana residents were affected by the alleged breach. The breach occurred when applications for individual insurance policies submitted to the insurer (which contained social security numbers, financial information and health records) could be accessed through an unsecured website from October 23, 2009 – March 8, 2010. A consumer notified the insurer on February 22, 2010, and again on March 8, 2010, at which time the insurer secured the site. Consumers were notified of the data breach beginning June 18, 2010. Although State law required the insurer to notify the State AG's office without unreasonable delay, the AG did not find out about the breach until alerted by news reports. This lawsuit was recently settled: terms included a $100,000 payment by the health insurer, and an admission by the health insurer that it had experienced a security breach and failed to notify the State AG's office as required by Indiana law. The insurer also agreed to provide 2 years of credit monitoring and identity theft protection, and to reimburse customers up to $50K for losses due to identity theft resulting from the breach. Tellingly, the State AG commented: "The requirement to notify the Attorney General 'without unreasonable delay' is not fulfilled by having me read about the breach in the newspaper."
It is interesting to note that OCR is offering HIPAA Enforcement Training to state AGs this Spring. The training will include instruction on "[i]nvestigative techniques for identifying and prosecuting potential violations." It is reasonable to anticipate uptick in state AG investigations and lawsuits in the wake of this training. Covered entities are advised to consider the nature of AG lawsuits to date and ensure that they have completed their ePHI risk assessment, and have in place robust security policies and procedures, particularly concerning the security of PHI removed from the covered entity's premises (PDAs, laptop computers, and paper records). "Refresher" employee training on this important security component would serve covered entity's well.
HITECH also increases the amount of civil money penalties that HHS may impose for privacy and security violations occurring after February 18, 2009. Before HITECH, CMPs were limited to $100 per violation, and $25,000 for all identical violations of the same HIPAA provision. HITECH establishes a tiered system of increasing minimum penalty amounts, with a maximum penalty of $1.5M for all violations of an identical provision during a calendar year.
- For a violation in which it is established that the CE did not know, and by exercising reasonable diligence would not have known, that the CE violated the provision. $100 - $50,000 for each violation; maximum of $1.5M for identical violations during a calendar year.
- For a violation in which it is established that the violation was due to reasonable cause and not willful neglect by the CE. $1,000 - $50,000 for each violation; maximum of $1.5M for identical violations during a calendar year.
- For a violation in which it is established that the violation was due to willful neglect and was corrected during the 30-day period beginning on the first date the CE knew, or by exercising reasonable diligence could have known, that the violation occurred. $10,000 - $50,000 for each violation; maximum of $1.5M for identical violations during a calendar year.
- For a violation in which it is established that the violation was due to willful neglect and was not corrected during the 30-day period beginning on the first date the CE knew, or by exercising reasonable diligence could have known, that the violation occurred. $50,000 or more for each violation; maximum of $1.5M for identical violations during a calendar year.
HITECH enforcement is not all "punitive" for covered entities. HITECH required HHS to designate an individual in each HHS regional office to offer guidance and education to covered entities and business associates, as well as to individuals. In July 2009, the Acting Director and Principal Deputy Director for Civil Rights designated the OCR Regional Managers in each of the HHS Regional Offices to serve as the Regional Office Privacy Advisors for their respective regions. Their names, addresses, and contact information are available at http://www.hhs.gov/ocr/office/about/rgn-hqaddresses.html.
HIPAA Privacy Enforcement
The Federal government publishes statistics on enforcement actions. As of February 28, 2011:
- HHS has received over 58,911 HIPAA Privacy complaints, and has resolved more than 91% of them.
- HHS/OCR has investigated and resolved over 13,003 cases by requiring changes in privacy practices and other corrective actions by covered entities. Corrective actions have resulted in systemic change that affects all individuals served by the covered entity. HHS has enforced the Privacy Rule by applying corrective measures in all cases where an investigation indicated noncompliance by the covered entity. OCR has investigated complaints against many different types of entities including national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.
- In another 6,784 cases, HHS/OCR investigations found no violation had occurred.
- In the rest of the completed cases (33,841), HHS determined that the complaint did not present an eligible case for enforcement of the Privacy Rule. These include cases in which:
- OCR lacks jurisdiction under HIPAA – such as a complaint alleging a violation before the compliance date or alleging a violation by an entity not covered by the Privacy Rule
- The complaint is untimely, withdrawn, or not pursued by the filer
- The activity described does not violate the Privacy Rule
The most frequently-investigated compliance issues are:
- Impermissible uses and disclosures of protected health information;
- Lack of safeguards of protected health information;
- Lack of patient access to their protected health information;
- Uses or disclosures of more than the Minimum Necessary protected health information; and
- Complaints to the covered entity.
The first step in an OCR investigation is intake and review. OCR may only take action against complaints that meet the following criteria:
- The alleged action must have occurred after the compliance date for the Privacy Rule (April 14, 2003) or the Security Rule (April 20, 2005).
- The complaint must be filed against an entity required by law to comply with the Privacy Rule or Security Rule, i.e., a "covered entity" – health plan, health care provider that electronically transmits health information in connection with certain financial and administrative transactions, or health care clearinghouse.
- The complaint must allege an activity that, if true, would violate the Privacy Rule or Security Rule.
- The complaint must be filed within 180 days of when the complainant knew or should have known of the alleged violation; however, OCR may waive this requirement for "good cause."
If the complaint does not meet one or more of these criteria, it is "resolved" at intake and review, and OCR takes no further action on it.
Investigation and Resolution: Informal Resolution and RA/CAPS
If the complaint meets all criteria, however, OCR accepts the complaint for investigation and notifies the complaining party. Both the complaining party and the covered entity are asked to submit information to OCR about the incident or problem described in the complaint – covered entities are required by law to cooperate with OCR investigations. If the complaint describes an action that could violate HIPAA's criminal provisions, OCR may refer the complaint to the Department of Justice for investigation.
The results of OCR's investigation may, of course, reveal that the covered entity has not violated the Privacy Rule or Security Rule. If, however, the investigation reveals non-compliance of a less serious nature (generally meaning that the covered entity was not grossly noncompliant), the OCR may attempt informal resolution in the form of voluntary compliance/corrective action by the covered entity. The following are example of what the OCR deems "successful" corrective actions:
- Large Health Care Provider Restricts Use of Patient Records. A nurse practitioner with privileges at a multi-hospital health care system, who was part of the system's organized health care arrangement, impermissibly accessed her ex-husband's medical records. To resolve this matter to OCR’s satisfaction and to prevent a recurrence, the covered entity terminated the nurse practitioner’s access to its electronic records system; reported the nurse practitioner’s conduct to the appropriate licensing authority; and provided the nurse practitioner with remedial Privacy Rule training.
- Hospital Revises Email Distribution as a Result of an Impermissible Disclosure. The complainant, who was both a patient and an employee of the covered entity, alleged that her protected health information was impermissibly disclosed to her supervisor. OCR’s investigation revealed that the hospital distributed an Operating Room schedule to employees via email, and the hospital’s OR schedule contained information about the complainant’s upcoming surgery. While the Privacy Rule may permit the disclosure of an OR schedule containing PHI, in this case, a hospital employee shared the OR schedule with the complainant’s supervisor, who was not part of the employee's treatment team and did not need the information for payment, health care operations, or other permissible purposes. The hospital disciplined and retrained the employee who made the impermissible disclosure. Additionally, in order to prevent similar incidents, the hospital undertook a complete review of the distribution of the OR schedule. As a result of this review, the hospital revised the distribution of the OR schedule, limiting it to those with a need to know.
- Private Practice Ceases Conditioning of Compliance With the Privacy Rule. A physician practice requested that patients sign an agreement entitled “Consent and Mutual Agreement to Maintain Privacy.” The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physician’s compliance with the Privacy Rule. A patient’s rights under the Privacy Rule are not contingent on the patient’s agreement with a covered entity. A covered entity’s obligation to comply with all requirements of the Privacy Rule cannot be conditioned on the patient’s silence. OCR required the covered entity to cease using the patient agreement that conditioned the entity’s compliance with the Privacy Rule. Additionally, OCR required the covered entity to revise its Notice of Privacy Practices.
- Mental Health Center Provides Access After Denial. The complainant alleged that a mental health center improperly provided her records to her auto insurance company, and refused to provide her with a copy of her medical records. The covered entity provided OCR with a valid authorization, signed by the complainant, permitting the disclosure to the insurance company. OCR also determined that the covered entity denied the complainant's request for access because her therapists believed providing the records to her would likely cause her substantial harm. The covered entity did not, however, provide the complainant with the opportunity to have the denial reviewed, as required by the Privacy Rule. Among other corrective action taken to resolve this issue, the covered entity provided the complainant with a copy of her records.
- National Pharmacy Chain Extends Protections for Protected Health Information. A pharmacy employee placed a customer's insurance card in another customer's prescription bag. The pharmacy did not consider the customer's insurance card to be protected health information. OCR clarified that an individual's health insurance card meets the statutory definition of PHI and, as such, needs to be safeguarded. Among other corrective actions to resolve the specific issues in the case, the pharmacy revised its policies regarding PHI and retrained its staff.
If the outcome of the investigation is more serious, but does not warrant CMPs, HHS may enter into a written Resolution Agreement and Corrective Action Plan ("RA/CAP") with the covered entity. Under the terms of the RA/CAP, the covered entity may agree to pay a fine known as a "resolution amount" (which can be substantial), implement corrective actions such as staff training and revamping policies and procedures, and/or report to HHS, generally for a 3-year period during which HHS monitors the covered entity's compliance with the RA/CAP.
To date, HHS has entered into six resolution agreement with covered entities:
- Providence Health & Services. On July 16, 2008, HHS entered into its first-ever Resolution Agreement with a covered entity. According to HHS, the covered entity's cooperation with OCR and CMS allowed HHS to resolve the complaint without resorting to CMPs. HHS's investigation indicated that on several occasions during a six-month period, backup tapes, optical disks, and laptops containing unencrypted electronic protected health information were removed from the covered entity's premises and left unattended. The media and laptops were subsequently lost or stolen, compromising the protected health information of more than 386,000 patients. HHS received more than 30 complaints about the stolen tapes and disks, submitted after the covered entity alerted patients to the theft pursuant to State notification laws. The covered entity also voluntarily reported the stolen media to HHS. OCR and CMS focused their investigations on the covered entity's failure to implement policies and procedures to safeguard this information.
The RA/CAP required the covered entity to pay a $100,000 resolution amount to HHS and to implement the following safeguards:
- Revise its policies and procedures, subject to HHS approval, regarding physical and technical safeguards (i.e., encryption) for off-site transport and storage of electronic media containing patient information
- Train workforce members on the safeguards
- Conduct audits and site visits of facilities
- Submit compliance reports to HHS for a period of three years
- CVS Pharmacy. On January 16, 2009, HHS reached a Resolution Agreement with a nationwide pharmacy chain to resolve potential Privacy Rule violations. OCR opened its investigation after media reports alleged that the covered entity was disposing of protected health information in unsecured dumpsters that were accessible by the public. The FTC also opened an investigation, which it pursued collaboratively with OCR.
Among other issues, the OCR investigation indicated that the covered entity did not implement adequate policies and procedures to safeguard PHI during the disposal process, did not adequately train employees on proper disposal of PHI, and did not maintain and implement sanctions policies for workforce members who fail to comply with disposal policies and procedures.
The RA/CAP required that the covered entity pay a $2.25 million resolution amount to HHS and ensure appropriate disposal of PHI by:
- Revising and distributing policies and procedures regarding disposal of protected health information
- Sanctioning workers who do not follow them
- Training workforce members on the new requirements
- Conducting internal monitoring
- Engaging a qualified, independent third party to assess and report on the covered entity's compliance with the CAP
- Implement internal reporting procedures requiring workers to report all violations of the new policies and procedures
- Submitting compliance reports to HHS for a three-year period
The pharmacy chain and its parent company also signed a consent order with the Federal Trade Commission to settle potential violations of the FTC Act.
- Rite Aid Corporation. On July 27, 2010, HHS reached a Resolution Agreement with a different pharmacy chain to resolve potential Privacy Rule violations. In a coordinated action, the chain also signed a consent order with the FTC to settle potential violations of the FTC Act.OCR opened its investigation after television media videotaped the pharmacies disposing of prescriptions and labeled pill bottles containing individuals’ identifiable information in trash containers that were accessible by the public. Among other issues, the reviews by OCR and the FTC indicated that the covered entity did not implement adequate policies and procedures to appropriately safeguard patient information during the disposal process, did not adequately train employees on how to properly dispose of such information, and did not maintain a sanctions policy for workforce members who failed to properly dispose of patient information.
The RA/CAP required the covered entity to pay a $1 million resolution amount to HHS and to ensure appropriate disposal of PHI by:
- Revising and distributing its policies and procedures regarding disposal of protected health information, and sanctioning workers who do not follow them
- Training workforce members on these new requirements
- Conducting internal monitoring
- Engaging a qualified, independent third party to conduct compliance reviews and report to HHS
- The covered entity also agreed to external independent assessments of its stores' compliance with the FTC consent order. The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years.
- Management Services Organization Washington, Inc. On December 13, 2010, HHS entered into a resolution agreement with an integrated health care company to resolve potential Privacy Rule and Security Rule violations. The settlement arose from a coordinated investigation of HHS and the Inspector General and the U.S. Department of Justice, which had been investigating the covered entity for violations of the Federal False Claims Act.
The HHS investigation indicated that the covered entity disclosed electronic protected health information without authorization to an affiliated entity, which used the information for marketing purposes. The investigation also showed that the covered entity "intentionally" did not have in place or implement appropriate and reasonable administrative, technical, and physical safeguards to protect the privacy of the protected health information.
The RA/CAP required the covered entity to pay a $35,000 resolution amount, develop, maintain, and revise its policies and procedures, and appropriately train its workforce on these policies and procedures. HHS will monitor the covered entity's compliance with the terms of the CAP and the Privacy and Security Rules for two years.
- General Hospital Corp. & Massachusetts General Physicians Organization, Inc. On February 14, 2011, HHS entered into a Resolution Agreement with a health care provider to resolve potential Privacy Rule violations.
The incident giving rise to the agreement involved the loss of protected health information, including a patient schedule containing names and medical record numbers for a group of 192 patients, and billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of providers for 66 of those patients. Some of the patients had HIV/AIDS. The documents were lost when an employee of the covered entity, while commuting to work, left the documents on a subway train. They were never recovered.
OCR’s investigation indicated that the covered entity failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from the covered entity's premises, and impermissibly disclosed PHI in potential violation of the Privacy Rule.
The covered entity and HHS entered an RA/CAP after "extensive" investigation by OCR. The RA/CAP required that the covered entity pay a $1M resolution amount, and develop and implement a comprehensive set of policies and procedures to safeguard the privacy of its patients. OCR Director Georgina Verdugo commented: “We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information. "To avoid enforcement penalties, Verdugo noted, covered entities "must ensure they are always in compliance with the HIPAA Privacy and Security Rules. "A robust compliance program includes "employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”
- UCLA Health System. On July 6, 2011, HHS entered a Resolution Agreement with a health system to resolve potential Privacy and Security Rule violations.
At issue were complaints by two separate celebrity patients who alleged that the health system's employees impermissibly accessed the patients' electronic protected health information. The HHS investigation revealed that "numerous" employees had "repeatedly and without permissible reason" examined patients' protected health information (PHI). The system agreed to settle potential HIPAA violations for $865,000, and to participate in a corrective action plan (CAP) to remedy compliance gaps. The CAP requires the health system to implement privacy and security policies and procedures approved by HHS, to conduct "regular and robust" trainings for all employees who use PHI, to sanction offending employees, and to designate an independent monitor to assess the system's compliance over a three (3)-year period. OCR director Georgina Verdugo commented: "Covered entities are responsible for the actions of their employees. This is why it is vital that trainings and meaningful policies and procedures, including audit trails, become part of the everyday operations of any health care provider …. Employees must clearly understand that casual review for personal interest of patients’ protected health information is unacceptable and against the law." Verdugo emphasized that "HIPAA privacy protections are real and OCR vigorously enforces those protections. Entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity."
Investigation and Resolution: Formal Findings and CMPs
If a complaint cannot be resolved informally or through a RA/CAP, OCR may issue a formal finding of violation and impose CMPs against the covered entity. If CMPs are imposed, the covered entity can request a hearing before an administrative law judge to determine if the evidence supports the penalties imposed. As noted above, HHS issued its first-ever CMP against a covered entity on February 22, 2011.
The investigation and subsequent findings and penalty resulted from the covered entity's failure to provide individuals access to their protected health information, and subsequent non-cooperation with the OCR's investigation. The results of the OCR's investigation are instructive.
- OCR notified the covered entity that it was investigating 38 complaints by affected individuals, and requested a response. The covered entity did not respond to written notifications, "numerous" attempted telephone follow-ups, or two subsequent letters (one from OCR's Region III manager and the other from the General Counsel's Office of HHS).
- OCR established written "final deadline[s]" for the covered entity to provide the requested medical records. The covered entity neither provided the records, nor responded to OCR's letters setting the deadlines.
- OCR issued a subpoena duces tecum directing the covered entity to produce the medical records for 11 individuals. The covered entity did not produce the records or respond to the subpoena.
- OCR sent a certified letter to the covered entity, informing that it had not received a response to the subpoena and would initiate enforcement actions if the covered entity did not respond. The covered entity neither produced the records nor responded.
- On February 4, 2010, OCR filed a petition to enforce its subpoena in federal district court. The court issued an order for the covered entity to show cause, and scheduled a hearing. The covered entity did not appear at the hearing, did not respond to the petition, and did not defend.
- The court entered a default judgment against the covered entity, and ordered it to produce a copy of the "complete designated record sets" (medical records) for the individuals listed in the subpoena by April 7, 2010.
- On April 7, 2010 the covered entity delivered 59 boxes of medical records to the attorney representing OCR. Included in the boxes were not only the medical records of the 11 individuals listed on the subpoena, but the records of 30 other complaining parties and "the medical records of approximately 4,500 individuals for whom the OCR made no request or demand and for whom [the covered entity] had no basis for the disclosure of their protected health information."
- In August 2010, OCR informed the covered entity that its investigations revealed noncompliance and that the matter "had not been resolved by informal means despite OCR's attempts to do so." OCR described each of the covered entity's indicated acts of noncompliance as well as the potential CMP. The letter provided the covered entity an opportunity to submit written evidence of any mitigating factors or affirmative defenses for OCR's consideration in making its determination of a CMP, and stated that the covered entity could submit written evidence to support a waiver of a CMP for "violations that were due to reasonable cause and not due to willful neglect." The covered entity did not respond to this letter.
Based upon these findings of fact, OCR determined that the covered entity violated the Privacy Rule in two ways:
- Failure to provide individuals access to protected health information about them in designated record sets (medical records). The covered entity's failure to provide each individual with access constituted a separate violation, and each day that the violation continued counted as a separate violation.
- Failure to cooperate with an investigation. The covered entity's failure to cooperate with investigation of each of 27 complaints constituted a separate violation, and each day the violation continued counted as a separate violation. Each violation was found to be due to the covered entity's "willful neglect" (conscious, intention failure or reckless indifference to the obligation to comply).
OCR found several "aggravating factors" when determining the amount of the CMP. First, the covered entity's failure to provide the individuals with timely access to their PHI hindered the patients' ability to obtain continuing health care. Further, OCR was "forced by [the covered entity's] inaction" to issue a subpoena and file a court petition in order to obtain copies of the individuals' PHI.
OCR assessed a CMP of $1,351,600 for failure to provide access, and $3,000,000 for failure to cooperate with the ensuing investigation. Because OCR determined that the covered entity's failure to cooperate with the investigation was due to willful neglect, it could not waive the CMP, in whole or in part, "even if the payment of the penalty would be excessive relative to the violation."
In its October 2010 Notice of Proposed Determination, OCR notified the covered entity of its right to a hearing before an administrative law judge to challenge the proposed CMP. When it failed to do so, OCR issued a Notice of Final Determination on February 4, 2011, assessing the $4,351,600 CMP.
In announcing the most recent HIPAA/HITECH Resolution Agreement, OCR Director Georgina Verdugo stated: "We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity's responsibility to protect its patients' health information." The enhanced enforcement landscape under HITECH, and the nature of civil enforcement to date, have important take-aways for covered entities:
- Building consumer confidence should be the goal of any HIPAA compliance plan, and is key to avoiding OCR enforcement. Words on paper are important, but they must be backed by internalization and implementation at all levels of the organization.
- Basic but vital: Do all members of the covered entity's workforce know what PHI is - not just how the regulations define the term, but what form PHI takes within the organization itself? Concrete examples from the covered entity's data-mapping project will allow employees to recognize PHI when they see it.
- The covered entity should have in place policies and procedures that not only safeguard the privacy and security of PHI, but also by their nature encourage individuals to bring privacy complaints directly to the covered entity. While the covered entity must advise individuals of their right to complain to OCR – and can never actively discourage an OCR complaint or ask that an individual not complain to OCR – the covered entity will do well to proactively inform individuals that it takes privacy seriously, and that it will diligently and thoroughly investigate all grievances. If an individual does make a privacy complaint, it is imperative that the covered entity respond quickly and completely. Regular staff training on the handling of complaints is essential.
- With the upcoming OCR training for State attorneys' general (Spring 2011), it is reasonable to expect an uptick in attorney general investigations and enforcement.
- Recent OCR enforcement that has escalated beyond informal resolution has focused upon security of PHI, particularly ePHI. Covered entities are advised to revisit their security risk assessment, and strengthen and document it where necessary.
- It goes without saying that covered entities must be responsive and cooperative in the face of any enforcement action (by a State attorney general or by OCR) or OCR audit. Covered entities should work closely with counsel at the first sign of a pending enforcement action.
- The OCR audit process may well begin in 2011. While covered entities cannot yet know what the audit process will look like (who will conduct the audits, how audit subjects will be chosen, what the audit model will be), covered entities can prepare for the possibility of an audit by getting their "ducks in a row" - which of course they should be doing anyway. OCR has indicated that privacy audits may focus on the exercise of individual rights, and security audits may focus on the security risk assessment for ePHI.
- Consider refresher staff training on practical security issues, particularly the security of ePHI and PHI in any form that leaves the covered entity's premises. Laptop computers, and now PDAs, are particular areas of concern.
Recent enforcement actions have been significant, and covered entities are rightly concerned about what the future of enforcement may hold. However, covered entities are certainly not helpless in the face of heightened enforcement, and should look at recent enforcement as an opportunity to improve rather than a threat.