As we discussed in a previous edition of the Benefits Brief, enactment of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act in February 2009 signaled a new era in the enforcement of HIPAA’s privacy and security rules. Since then, actions taken by the United States Department of Health and Human Services’ Office of Civil Rights (“OCR,” the division charged with HIPAA enforcement) and several state attorneys general reveal just how costly HIPAA violations can be.
OCR Imposes First Formal Penalty for HIPAA Privacy Violation
OCR has had the authority to impose civil penalties on covered entities for HIPAA violations since 2003, but until recently, had not formally done so. Instead, OCR focused on resolving HIPAA privacy and security complaints through voluntary means. If an investigation revealed a possible violation, OCR worked with the alleged violator to obtain voluntary compliance. Although entities sometimes made monetary payments, this occurred only in accordance with settlement agreements entered into voluntarily – OCR had never officially imposed a penalty for a HIPAA privacy or security violation.
The HITECH Act made the investigation of, and imposition of formal penalties for, HIPAA violations due to “willful neglect” mandatory, and increased the maximum dollar amount of HIPAA’s civil penalties significantly, suggesting to many that OCR intended to use this enforcement mechanism more often. In February 2011, OCR exercised its authority to impose civil penalties for HIPAA violations for the first time, and ordered a Maryland health care provider to pay more than $4 million in penalties, most of which resulted from a finding of willful neglect on the part of the provider. The penalty related to complaints filed by 41 individuals who claimed that Cignet Health Center, a Maryland clinic, failed to respond to their requests for access to copies of their own medical records, which in at least some cases were made for purposes of obtaining treatment with other providers. According to OCR, Cignet ignored OCR’s multiple official inquiries and requests for the documents, ultimately producing them only after ordered to do so by a federal court, years after the initial requests were made. In addition to producing the documents pertaining to the 41 individuals at issue, Cignet also supplied the records of approximately 4,500 other individuals. OCR explained that the total penalty amount of $4,351,600 consisted of $1,351,600 in penalties for the actual HIPAA privacy rule violation (the failure to provide individuals with access to their own protected health information or PHI - at a cost of $100 per day per person) and $3,000,000 in penalties resulting from Cignet’s willful neglect and failure to cooperate with an investigation.
Cignet’s experience serves as an example that cooperation with OCR can make a difference – in some cases, millions of dollars of a difference – in the monetary cost to a covered entity for a HIPAA violation. By contrast, OCR recently settled an investigation into possible HIPAA violations by a Massachusetts provider for $1,000,000, involving almost 200 individuals whose PHI was lost when an employee of the provider left documents on a commuter train, and they were never recovered. In these cases, it clearly pays to cooperate with OCR. Cignet’s experience also shows that HIPAA privacy rules are not only about protecting against unauthorized disclosures of PHI, but also ensuring that individuals have proper access to their own PHI.
Enforcement Actions by State Attorneys General
The HITECH Act also authorized state attorneys general to bring suits for civil monetary penalties on behalf of state residents for HIPAA violations, whereas HIPAA enforcement responsibilities previously resided only with OCR. The OCR recently planned a series of training sessions to help state attorneys general prepare for taking on these responsibilities, and at least a few have already taken enforcement action by filing lawsuits against covered entities who failed to comply with the HITECH Act’s breach notification requirements. HIPAA covered entities and business associates should not presume that they will always have the opportunity to voluntarily resolve HIPAA complaints in accordance with OCR’s past practices, now that attorneys general have enforcement authority as well, and it will presumably be exercised in a variety of ways.
Proactive Approach Will Help Avoid Expensive Mistakes
In addition to having HIPAA privacy and security policies and procedures in place, HIPAA covered entities and business associates should periodically review whether they operationally comply with these rules, and conduct training sessions to ensure employees who handle protected health information are aware of the requirements for and significant risks attendant with its use and disclosure. Any compliance efforts should take into account the HITECH Act’s relatively new requirements regarding notification of breaches of protected health information. While sometimes tedious, these steps will minimize the risk of the imposition of costly fines and penalties.