On February 22, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced its first-ever civil monetary penalty (CMP) of $4,351,600 imposed on Cignet Health of Prince George’s County, Maryland (Cignet) for alleged violations of the HIPAA Privacy Rule. Just two days later, on February 24, 2011, OCR announced a $1 million settlement resolving a HIPAA privacy complaint with General Hospital Corp. and Massachusetts General Physicians Organization Inc. (Mass General).
$4.3 Million Civil Monetary Penalty
In a Notice of Final Determination dated February 4, 2011, OCR finalized the imposition of the $4.3 million CMP on Cignet. In the Notice of Proposed Determination, dated October 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. The HIPAA Privacy Rule requires a covered entity to provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. According to the Notice of Proposed Determination and OCR’s press release, these patients individually filed complaints with OCR, initiating investigations of each complaint. During the investigations, OCR asserted that Cignet failed to respond to OCR’s demands to produce the records.
Additionally, Cignet allegedly did not cooperate with OCR’s investigations of many of the complaints and failed to produce the records in response to OCR’s subpoena. OCR subsequently filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, including additional records not requested by OCR, but otherwise made no efforts to resolve the complaints through informal means.
In imposing the CMP, OCR determined that that there were two bases for the penalty: (1) Cignet’s failure to provide timely access to the 41 individuals who requested copies of their medical records, and (2) Cignet’s failure to cooperate with OCR’s investigation of 27 complaints; OCR found the failure to cooperate was due to Cignet’s willful neglect. As defined in the interim final enforcement rule implementing the HITECH Act changes to penalties, willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. Violations due to willful neglect incur the highest penalty amounts of a minimum of $50,000 per violation up to an annual aggregate maximum of $1.5 million for identical violations.
In calculating the amount of the imposed on Cignet, each failure to provide access to the records and to cooperate with the OCR investigations counted as a separate violation. Furthermore, each day that the violations continued also counted as a separate violation. For each of the 41 failures to provide individual access, the computation of the CMP was calculated at $100 multiplied by the number of days each violation continued (13,516), totaling $1,351,600.
In calculating the additional $3 million in penalties for Cignet’s alleged failure to cooperate with the 27 individual complaint investigations due to its willful neglect, the minimum penalty is $50,000 per day per violation with an annual aggregate maximum of $1.5 million for the same violations. Due to the number of days that the violations continued, the total amounts exceed the penalty cap and therefore the maximum of $1.5 million was imposed for each of 2009 and 2010.
$1 Million Settlement
Just two days after announcing the first CMP, OCR announced a $1 million settlement with Mass General to resolve potential HIPAA violations following the loss of documents containing protected health information (PHI) of 192 patients of the Infectious Disease Associates outpatient practice, including patients with HIV/AIDS. An employee allegedly took documents out of the office to work on them at home. The documents contained names, medical record numbers, health insurance and other information. According to the Resolution Agreement, while commuting to work on the subway, the employee left the documents, bound by a rubber band, on the seat on the train. The records were never recovered.
As part of the settlement, Mass General agreed to enter into a three-year Corrective Action Plan (CAP), which requires it to:
- develop and implement a comprehensive set of policies and procedures to protect PHI when taken off the premises – which must address physical removal and transport of PHI, laptop encryption, and USB drive encryption
- train workforce members on these policies and procedures, and
- designate the Director of Internal Audit Services of Partners HealthCare System Inc. to serve as an internal monitor who will conduct assessments of Mass General’s compliance with the CAP and render semi-annual reports to HHS for a three-year period.
While the Cignet case could be considered to be an isolated and extreme example, the type of HIPAA breach in the Mass General case is not unusual. The timing of the two announcements, significant penalties, and three-year CAP (for Mass General) may signal OCR’s plans to use the HITECH-increased penalties as an enforcement tool. As evidenced in these two recent announcements, the increased penalty amounts and penalty tiers under HITECH and the interim final enforcement rule can quickly multiply into costly penalties. HIPAA-covered providers and entities should review their policies and procedures for compliance with HIPAA.
More information is available on the OCR Web site for both the Cignet Notice of Final Determination and civil monetary penalty (http://www.hhs.gov/ocr/privacy/hipaa/news/cignetnews.html) and the Mass General settlement (http://www.hhs.gov/ocr/privacy/hipaa/news/mghnews.html).