New Enforcement Actions
On February 24, 2011, the Health and Human Services Office of Civil Rights (OCR) announced a $1 million Health Insurance Portability and Accountability Act (HIPAA) settlement with General Hospital Corporation and Massachusetts General Physicians Organization, Inc. (Massachusetts General Hospital) for alleged violations of the privacy and security regulations of HIPAA (the HIPAA Privacy Rule and Security Rule). The settlement relates to a 2009 incident in which a Massachusetts General Hospital employee took billing encounter forms and daily office schedules home to work over the weekend. The documents contained protected health information on 192 individuals, including their names, birthdates, medical record numbers, health insurer and policy numbers, and diagnoses. While heading back to work, the employee removed the records from her bag and left them on the subway. They were not protected in an envelope but were simply bound with a rubber band. In addition to the $1 million penalty, Massachusetts General Hospital agreed to complete a three-year corrective action plan designed to improve compliance with the HIPAA Privacy and Security Rule.
The Resolution Agreement imposes a number of obligations on Massachusetts General Hospital:
- Policies. Massachusetts General Hospital must develop and implement HIPAA policies, including policies that specifically address physical removal and transport of protected health information, laptop encryption, and USB-drive encryption. In addition, the policies must require workforce members to report HIPAA violations within 30 days to a monitor approved by OCR. The policies must be approved by OCR.
- Training. The hospital must provide training for its workforce. All training materials must be provided to the OCR at the end of each year as part of an annual report.
- Monitoring. The Settlement Agreement appoints the hospital's Director of Internal Audit Services, rather than the Privacy Officer or the Chief Compliance Officer, as a HIPAA monitor. The monitor must develop a monitoring plan, approved by the OCR, which includes unannounced site visits, interviews of staff, and inspections of laptops and USB flash drives. The monitor also receives reports of violations of HIPAA policies and procedures. The monitor must submit reports to OCR every six months summarizing the results of its monitoring activities.
The Massachusetts General Hospital Settlement follows closely on the heels of an announcement by OCR of its imposition of a $4.3 million civil penalty against Cignet Health Center (Cignet) for multiple HIPAA violations. The Cignet penalty is significant because it is the first civil penalty imposed by OCR for violations of the Privacy Rule. According to the Notice of Final Determination, Cignet failed to provide 41 patients with timely access to their medical records, and failed to cooperate with 40 different OCR investigations. A penalty of $100 per day was assessed for failure to provide patients with access to their records (totaling $1.3 million), and a penalty of $50,000 per day was assessed for failing to cooperate with an OCR investigation. The penalty was capped at $1.5 million per year for two years.
In short, HIPAA enforcement appears to be heading down a new path with much more stringent enforcement.
Lessons for Covered Entities
In light of the new emphasis on enforcement, covered entities should consider the following:
- Review and Update HIPAA Policies: The Massachusetts General Hospital Resolution Agreement required the adoption and implementation of specified policies and procedures to address issues such as the removal of protected health information (PHI) outside the entity and encryption of mobile devices. Covered entities should consider whether their policies and practices address these and other common high-risk scenarios. A good place to get a sense of common problems is the Office of Civil Rights Case Examples and Settlement Agreements page, which describes recent actions by covered entities that have been subject to enforcement.
- Walk the Talk: The only thing worse than not having a policy is having a policy that no one reads or follows. Covered entities should be sure their workforce reads, understands, and follows their HIPAA policies. It is advisable to require staff to acknowledge in writing that they have read the policies and will abide by them.
- Train, Train, Train: It is not sufficient for staff to read a covered entity's policies. Covered entities must provide meaningful, regular training to ensure workers understand how HIPAA impacts their work. Staff should be required to certify they have completed the required training.
- Act Quickly: Covered entities must respond promptly to suspected HIPAA violations. Improper uses or disclosures of PHI must be addressed quickly and appropriate corrective action put in place. The corrective action plan will depend on the facts and circumstances, but may include changes in procedures, giving notice of security breaches, retraining, and employee discipline.
- Monitor Compliance: Covered entities must monitor their compliance with HIPAA on an ongoing basis. A robust monitoring program will help discover problems early and minimize risk.
- Set the Tone at the Top: Covered entities will maximize their chances of success if their executive teams stress the importance of complying with HIPAA and other health care laws and regulations.
- Watch for New Developments: The final regulations implementing the Health Information Technology for Economic and Clinical Health Act are expected to be published soon. Covered entities must have a process in place to ensure they know about new regulations and other changes to HIPAA. When the law changes, covered entities must promptly update their affected policies and procedures and train their staff.