Last week, the U.S. Department of Health and Human Services (HHS) announced two major actions in the HIPAA enforcement arena: (1) the imposition of $4.3 million in civil monetary penalties (CMPs) against Cignet Health Care, which marks the first ever imposition of CMPs by HHS against a covered entity for HIPAA Privacy Rule violations; and (2) a $1 million settlement with Mass General to resolve alleged HIPAA Privacy Rule violations.

Subject to certain limitations under 42 U.S.C. § 1320d-5(b), HIPAA authorizes the Secretary of HHS to impose CMPs against any covered entity that violates a provision of the HIPAA administrative simplification provisions, which include the Privacy Rule regulations under 45 C.F.R. Part 160 & Part 164, Subparts A and E. The HITECH Act, enacted on February 17, 2009, as part of the American Recovery and Reinvestment Act of 2009, dramatically increased the amount of authorized penalties. Prior to February 18, 2009, the Secretary could impose on any person who violated HIPAA a penalty of not more than $100 for each violation, up to a $25,000 calendar year cap for all violations of an identical requirement or prohibition. As amended by HITECH, the Secretary may impose a range of CMPs of not less than $100 to more than $50,000 for each violation, subject to an increased calendar year maximum sanction of up to $1.5 million for all violations of an identical requirement or prohibition.

1. HHS Imposes $4.3 Million Civil Monetary Penalty Against Cignet.

On February 22, 2011, HHS announced the imposition of $4.3 million in CMPs against Cignet Health Center (Cignet) for violations of the HIPAA Privacy Rule. Approximately $1.3 million of the total penalty is due to Cignet’s failure to provide 41 individuals access to their medical records, as required by 45 C.F.R. § 164.524, and the remaining $3 million is for Cignet’s failure to cooperate with an investigation, as required by 45 C.F.R. § 160.310(b).

The HHS Office for Civil Rights (OCR) notified Cignet of the proposed $4.3 million in CMPs and the findings of fact forming the basis for the imposition of the penalties in an October 20, 2010 Notice of Proposed Determination (Proposed Determination). According to the Proposed Determination, Cignet failed to respond to 41 individuals who requested access to their medical records between September 2008 and October 2009. Thirty-eight of those individuals filed complaints with OCR, and OCR initiated an investigation of each complaint.

According to the Proposed Determination, Cignet did not respond to OCR’s written notifications of the investigations and multiple follow-up attempts to contact Cignet, did not produce the records during the investigations as required, and did not respond to a subpoena demanding that Cignet produce records in connection with 11 of the investigations. Cignet eventually produced the records, but OCR found that Cignet made no other efforts to resolve the complaints through informal means. OCR found that Cignet’s failure to cooperate with the 27 investigations underway as required by 45 C.F.R. § 164.310(b) was due to “willful neglect,” which HIPAA defines as “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” 45 C.F.R. § 160.401.

OCR calculated the penalties for Cignet’s failure to provide records at $100 per record per day, totaling $1.3 million. OCR calculated the penalties for Cignet’s failure to cooperate at $50,000 per day per violation, totaling well over the statutory yearly maximum of $1.5 million. Accordingly, OCR reduced the 2009 and 2010 penalties to $1.5 million per year, resulting in the $3 million in total penalties for failure to cooperate.

OCR finalized the $4.3 million proposed CMPs on February 4, 2011. According to the Notice of Final Determination, OCR finalized the penalties because Cignet did not timely request a hearing in accordance with the instructions in the Proposed Determination or otherwise settle the matter as permitted by 45 C.F.R. § 160.416. In addition, OCR informed Cignet that it did not have a right to appeal the determination due to its failure to timely request a hearing. See 45 C.F.R. § 160.422.

A copy of the HHS Press Release is available by clicking here. A copy of the Proposed Determination is available by clicking here. A copy of the Final Determination is available by clicking here.

2. Mass General Agrees to Pay $1 Million to Settle Potential HIPAA Violations.

On February 24, 2011, HHS announced that The General Hospital Corporation and Massachusetts General Physicians Organization, Inc. (Mass General) has agreed to pay $1,000,000 to settle potential violations of the HIPAA Privacy Rule. According to the Resolution Agreement (the Agreement) between Mass General and OCR, the incident giving rise to the Agreement involved the loss of protected health information (PHI) of 192 patients of Mass General’s Infectious Disease Associates outpatient practice (the Practice), some of whom have HIV/AIDS.

In order to work from home, a Mass General employee removed from the Mass General premises billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis, and name of provider for 66 patients, as well as the Practice’s daily office schedules for three days containing the names and medical record numbers of 192 patients. While commuting back to work several days later, the employee left the documents on the subway, and they were not recovered. OCR opened its investigation of Mass General after a patient whose PHI had been lost during the incident filed a complaint. According to the HHS press release, OCR’s investigation indicated that Mass General potentially violated the HIPAA Privacy Rule by failing to implement reasonable and appropriate safeguards to protect the PHI when removed from Mass General’s premises, and by impermissibly disclosing PHI. Mass General did not admit any liability or wrongdoing by entering the Agreement.

In addition to the $1 million settlement payment, Mass General agreed to enter into a Corrective Action Plan (CAP), which requires Mass General to:

  • Develop and implement a comprehensive set of policies and procedures that ensure PHI is protected when removed from Mass General’s premises;
  • Provide specific training on the policies and procedures to all workforce members who have access to PHI; and
  • Designate the Director of Internal Audit Services of the Partners HealthCare System, Inc. to serve as the Monitor who will conduct assessment’s of Mass General’s compliance with the CAP and render semi-annual reports to HHS for a 3-year period.

A copy of the HHS press release is available by clicking here. A copy of the Resolution Agreement and CAP is available by clicking here.