The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services has recently announced two significant enforcement actions against health care providers for violating the HIPAA Privacy Rule. In the first matter, Cignet Health Care of Prince George’s County, MD was fined $4.3 million for failure to provide patients with access to their health records and for failing to cooperate with the ensuing OCR investigation. In the second action, Massachusetts General Hospital was fined $1 million as a result of an employee losing the medical records of 192 patients while riding on the subway.
These actions are the first major enforcement activities by the OCR, which was authorized by the HITECH Act to impose significantly increased penalty amounts for HIPAA violations. OCR Director Georgina Verdugo announced that the OCR is serious about HIPAA enforcement and will take action against those organizations that disregard their obligations under HIPAA.
In the Cignet investigation, OCR determined that Cignet violated the rights of 41 patients by denying them access to their medical records when requested. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical record within 30 (and no later than 60) days of the patient’s request. Cignet was assessed civil monetary penalties of $1.3 million for failure to provide the medical records and was fined an additional $3 million for failure to cooperate with the OCR during its investigation.
The Mass General case involved the loss of patient schedules containing the names and medical records numbers of 192 patients and billing forms containing the personal information for 66 of those patients. The documents were lost on March 9, 2009, when a Mass General employee, while commuting to work, left the documents (which were never recovered) on the subway. As part of the resolution of the investigation, Mass General agreed to enter into a Corrective Action Plan that requires the hospital to develop and implement a comprehensive set of policies that ensures that medical information is protected when it is removed from the premises, to train employees on those policies and to submit semi-annual reports to HHS for 3 years.
These enforcement actions demonstrate that health care providers must ensure they are always in compliance with the HIPAA Privacy and Security Rules. According to the OCR, they should have a robust compliance program that includes employee training, vigilant implementation of policies and procedures, regular internal audits and a prompt action plan to respond to incidents.