The Office of Civil Rights (OCR) is stepping up enforcement of the Health Insurance Portability and Accountability Act (HIPAA) through the imposition of Resolution Agreements and Civil Monetary Penalties (CMPs), launching random audits of Covered Entities (CEs) and Business Associates, and training and State Attorney Generals to bring civil actions on behalf of state residents.
Although Resolution Agreements were relatively uncommon in the past, OCR imposed three Resolution Agreements and one CMP on CEs for HIPAA violations in 2011. This trend toward use of Resolution Agreements suggests that OCR is no longer relying on voluntary compliance alone as a response to HIPAA violations; Resolution Agreements are key to its current enforcement strategy. Further, according to OCR, when it has not been able to reach a satisfactory resolution through the CE’s demonstrated compliance or corrective action, it will impose a CMP. OCR demonstrated its commitment to this principle in February 2011, when it imposed a $4.3 million CMP on Cignet Health, $3 million of which was assessed for failure to cooperate with the OCR investigation.
OCR’s model for a Resolution Agreement is illustrated by the July 6, 2011 agreement with the University of California at Los Angeles (UCLA)health system. That Resolution Agreement include a Corrective Action Plan and payment of a resolution amount. The Corrective Action Plan focuses on the following key elements: (1) maintenance of privacy and security policies and procedures, (2) updating and distribution of such policies and procedures, (3) inclusion of certain minimum content to address its prior deficiency, (4) regular and robust trainings for employees who use protected health information, and (5) monitoring, typically by an independent monitor, for compliance with the plan over a three-year period. In addition, Resolution Agreements generally require a resolution payment. For example, UCLA was assessed a resolution amount of $865,000 in July 2011 and Massachusetts General Hospital $1,000,000 in February 2011. We expect that OCR will continue to use this template agreement for future Resolution Agreements.
The OCR also plans to launch HIPAA compliance audits soon. In June 2011, OCR awarded a $9.2 million contract to KPMG to conduct 150 random site audits of entities by the end of 2012. These audits may result in findings of HIPAA violations and could lead to the imposition of additional Resolution Agreements on CEs.
OCR is also active in providing training and technical assistance to help state Attorneys General and their staff use their new authority to enforce the HIPAA Privacy and Security Rules through civil actions. It recently completed its first round of regional HIPAA Enforcement training sessions designed for state Attorneys General. Some states have already begun to use this new authority. In Vermont and Connecticut, the state Attorneys General have filed civil actions against HealthNet on behalf o state residents. In addition to encouraging state Attorneys General to take civil actions, OCR also refers cases to the Department of Justice for criminal investigations. As of July 1, 2011, OCR had made 494 referrals to the Department of Justice.