A series of recent civil monetary penalties, resolution agreements and settlements imposed by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) shows the office is flexing its recently increased enforcement muscle.
The OCR capabilities to enforce the Health Insurance Portability and Accountability Act (HIPAA) were significantly expanded under the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act’s Enforcement Interim Final Rule. Under HITECH, the maximum civil monetary penalty (CMP) that OCR may impose for a violation of HIPAA increased 100 percent.
Despite proposed cuts to OCR’s 2013 fiscal year budget, OCR has no intention of curbing its enforcement activities. In fact, OCR has stated that it is looking to have enhanced enforcement impact by focusing on increased efficiency and high-impact cases. As provided under HITECH, CMPs obtained by OCR are used to fund future enforcement activities, including OCR’s Audit Program. This, too, suggests a significant expansion in OCR’s proactivity and limited tolerance for HIPAA and HITECH implementation failures. The following cases highlight the recent uptick in HHS enforcement activity:
Recent Enforcement and Trends
- On September 17, 2012, OCR announced a settlement agreement, including a $1.5 million CMP and a three-year corrective action and monitoring plan, with a Harvard Medical School teaching hospital, Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (MEEI). The settlement came after OCR investigated the theft of an unencrypted MEEI laptop that contained protected health information (PHI) of 3,500 individuals. OCR determined that MEEI demonstrated “a long-term, organizational disregard for the requirements of the [HIPAA] Security Rule,” including failure to conduct a thorough analysis of risks associated with PHI on portable devices. This settlement is notable in light of MEEI’s relatively low annual revenue and the fact that affected individuals apparently suffered no actual harm.
The MEEI Resolution Agreement can be found at: http://www.hhs.gov/ocr/ privacy/hipaa/enforcement/examples/meei-agreement-pdf.pdf
- On August 30, 2012, a federal district court held that OCR can collect a $4.3 million penalty assessed in 2011 against Uplift Medical P.C., doing business as Cignet Health Center. Three million dollars of the assessed penalty was assessed against Cignet for its failure to cooperate with OCR’s investigation. OCR concluded that Cignet demonstrated a conscious, intentional failure or reckless indifference to its obligation to comply with the HIPAA Privacy Rule.
The full Sebelius v. Uplift Medical P.C. Opinion can be found at: http://op.bna.com/hl.nsf/r?Open=mapi-8y8p9n
- On June 26, 2012, OCR announced settlement of its first HIPAA enforcement action against a state agency. The Alaska Department of Health and Social Services (DHSS) agreed to pay HHS $1.7 million following the launch of an OCR investigation initiated by a breach report submitted by Alaska DHSS. The breach report indicated that a portable USB hard drive possibly containing PHI was stolen from the vehicle of a DHSS employee.
The DHSS Resolution Agreement can be found at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaskaagreement. pdf
- On April 17, 2012, OCR announced that Phoenix Cardiac Surgery, P.C. (PCS) agreed to pay $100,000 and take corrective action following its investigation of a report that the physician practice posted patient appointments on a publicly accessible Internet-based calendar. The enforcement action illustrates OCR’s position that HHS expects full compliance, no matter the size of a covered entity.
The PCS Resolution Agreement can be found at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/pcsurgery_ agreement.pdf
- In March 2012, Blue Cross Blue Shield of Tennessee (BCBST) agreed to a $1.5 million settlement after a 2009 facility break-in resulted in the theft of 57 unencrypted computer hard drives containing PHI for 1,023,209 individuals. The agreement also requires BCBST to review, revise and maintain its privacy and security policies and procedures, to conduct regular and robust training for employees, and to undertake monitoring to ensure compliance with the corrective action plan. Total cost of this breach, including breach notification and implementation of OCR’s corrective action plan, is estimated to be in excess of $20 million.
The BCBST Resolution Agreement can be found at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/resolution_ agreement_and_cap.pdf
The escalation of HIPAA enforcement demonstrated by the cases above is likely to continue. HIPAA covered entities are advised to assure that their policies relating to privacy, security and breach notification are up- to- date and effectively implemented.