Two recent developments in the enforcement of the privacy and security rules under the Health Insurance Portability and Accountability Act (“HIPAA”) should give compliance officers of healthcare providers, health plans, and insurers pause. Last month the Office of Civil Rights of the U.S. Department of Health and Human Services (“OCR”) imposed the first ever civil penalty on a healthcare provider under the HIPAA privacy rule and entered into a substantial settlement agreement with another healthcare provider for violations of the HIPAA privacy rule arising from the loss of a few hundred individuals’ protected health information.1 In so acting, OCR has signaled its seriousness about the enforcement of the HIPAA privacy and security rules. In light of these developments, covered entities and their business associates should review their compliance policies and procedures and confirm good practices with respect to protected health information in order to avoid increasingly significant monetary sanctions.
Under the HIPAA privacy and security rules, covered entities are required to establish policies and procedures to safeguard the confidentiality of individuals’ protected health information. For healthcare providers, such safeguards must extend to the protection of patients’ individually identifiable health information in the course of providing treatment. For health plans and insurers, the confidentiality of protected health information must be safeguarded in the course of providing coverage for the payment of healthcare treatment. In addition, covered entities routinely enter into arrangements with service providers to perform administrative functions requiring the use or disclosure of protected health information. Since the inception of the HIPAA privacy and security rules, such “business associates” of covered entities have had contractual obligations to abide by the same restrictions on the use and disclosure of protected health information that apply to covered entities. Following passage of the Health Information Technology for Economic and Clinical Health Act (the HITECH Act2), however, business associate are now, like covered entities have always been, directly subject to the civil and criminal penalties that may be imposed by OCR under HIPAA.
The civil and criminal monetary sanctions that may be imposed by OCR for violations of HIPAA by either a covered entity or its business associate were also dramatically increased by the HITECH Act. Currently, there are four penalty tiers ranging from $100 to $50,000 for each violation, with $25,000 to $1,500,000 for similar violations in the same year. Penalties vary depending on the degree of culpability of the covered entity or business associate, with the most severe penalties reserved for violations arising from “willful neglect.”
OCR has previously imposed sanctions under settlement agreements with cooperative covered entities for violations of HIPAA. In the first civil money penalty ever imposed by OCR, Cignet Health of Maryland was ordered last month to pay $4.35 million for HIPAA violations arising from the covered entity’s failure to provide 41 patients with access to their protected health information (such access is required according to procedures and timeframes outlined in the privacy regulations) as well as the covered entity’s failure to cooperate with OCR’s investigation. Indeed, by failing to cooperate more fully with OCR’s investigation of the patients’ complaints (itself a violation of HIPAA that is subject to sanction), Cignet Health acted with the kind of “willful neglect” that in the view of OCR made it liable for the most stringent monetary penalties. Three million dollars of the $4.35 million sanction was attributable to Cignet Health’s failure to cooperate.
In another sanction announced last month, OCR has entered into a settlement agreement with General Hospital Corporation and Massachusetts General Physicians Organization, Inc. (“Mass General”). The settlement agreement provides for the payment of $1 million to resolve multiple disclosure violations that occurred when a Mass General employee misplaced on the subway paper medical records containing the protected health information of 192 patients.
While to some observers the penalties in both cases appear disproportionate to the violations at issue, it is worth noting that Mass General cooperated more fully with the investigation than did Cignet Health. Among other things, Mass General’s settlement agreement with OCR includes the creation of a corrective action plan to be temporarily monitored by OCR. By cooperating with OCR, Mass General probably avoided even more stringent penalties that could have been imposed for the single action of one of its employees.
If nothing else, these cases are a poignant reminder that stricter enforcement of HIPAA is here to stay, and that it is imperative for covered entities and business associates to cooperate fully with OCR in the event of any investigation of an alleged violation of HIPAA. Covered entities and business associates must take action to ensure that adequate policies and procedures are in place and up to date. In particular, healthcare providers, health plans, insurers, and their business associates would be well advised to make sure they have in place the periodic workforce training on HIPAA compliance that is required by the regulations. Not only is such training a good practice to avoid potentially costly errors, it demonstrates awareness of and ongoing compliance with HIPAA requirements.