In case you haven’t heard, two recent developments in the enforcement of the privacy and security rules under HIPAA should give healthcare compliance and security officers new ammunition in the fight to regain relevance. Last month (Feb 2011) OCR imposed the first ever civil penalty on a healthcare provider under the HIPAA privacy rule and entered into a substantial settlement agreement with another healthcare provider for violations of the HIPAA privacy rule arising from the loss of a few hundred individuals’ protected health information (see Press Releases @ By doing so, OCR has signaled its seriousness about the enforcement of the HIPAA privacy and security rules. In light of these developments, covered entities and their business associates should review their compliance policies and procedures and confirm good practices with respect to PHI in order to avoid potentially significant fines.
The civil and criminal monetary sanctions that may be imposed by OCR for violations of HIPAA by either a covered entity or its business associate were also dramatically increased by the HITECH Act. Currently, there are four penalty tiers ranging from $100 to $50,000 for each violation, with $25,000 to $1,500,000 for similar violations in the same year. Penalties also vary depending on the degree of culpability of the covered entity or business associate, with the most severe penalties reserved for violations arising from “willful neglect.”
OCR has previously imposed sanctions under settlement agreements with cooperative covered entities for violations of HIPAA. These cases (i.e., Providence Health, CVS, etc…) were usually a relatively small fine coupled with a Corrected Action Plan detailing improvements in the trouble areas.
In the first civil money penalty ever handed out by OCR, Cignet Health of Maryland was ordered to pay $4.35 million for HIPAA violations arising from the covered entity’s failure to provide 41 patients with access to their protected health information (such access is required according to procedures and timeframes outlined in the HIPAA privacy regulations) as well as the covered entity’s failure to cooperate with OCR’s investigation. Indeed, by failing to cooperate more fully with OCR’s investigation of the patients’ complaints (itself a violation of HIPAA that is subject to sanction), Cignet Health acted with the kind of “willful neglect” that in the view of OCR made it necessary to impose the most stringent monetary penalties. It should be noted that $3 million of the $4.35 million sanction was attributed to Cignet Health’s failure to cooperate.
In another sanction, OCR has entered into a settlement agreement with Mass General. The settlement agreement provides for the payment of $1 million to resolve multiple disclosure violations that occurred when a Mass General employee lost paper medical records containing the PHI of 192 patients on the subway. (Note, paper records not electronic. It’s easy to overlook protections of paper-based PHI.)
It is also interesting to observe that cooperation with OCR pays off – Mass General’s fine was much less ($$millions) compared to Cignet’s when comparing number of patient records. My prediction is a future sanction against a business associate to reinforce the new HITECH direct business associate compliance enforcement capability.
These early cases remind me of the initial FTC actions in the mid-2000′s for data privacy issues (ChoicePoint, Guess?, Eli Lilly, etc…) which generally had fines and a consent decree such as requiring that the companies implement comprehensive information security programs and obtain audits by independent third-party security professionals every other year for 20 years. I guess that is one way to get executive management support and funding for your security program…
Another interesting phenomenon is the self-funding nature of compliance enforcement organizations. The more they fine, the more auditing and compliance resources are available to perform audits. Typically, Congress passes these laws with unfunded mandates for enforcement. I believe the same type of funding model for the compliance enforcement function occurs at the FDA and the FTC.
If nothing else, these cases are a reminder that stricter enforcement of HIPAA is not just a threat, and that it is imperative to cooperate fully with OCR in the event of any investigation of an alleged violation of HIPAA.