HHS Gets Serious About Civil Monetary Penalties for HIPAA Violations

Written By: Carrie A. Hanger,  May 18, 2011

Until recently, the nearly decade-old regulations implementing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) carried little bite. Even after the passage of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) in 2009, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) had done little in the way of enforcement actions. All of that changed in February of 2011, when the OCR significantly ramped up its enforcement of HIPAA. The OCR imposed the first civil monetary penalty for a HIPAA violation – a whopping $4.3 million – since the enactment of HIPAA and entered into a $1 million settlement with another provider for an alleged HIPAA violation.

The $4.3 Million Civil Monetary Penalty
On Feb. 4, 2011, Cignet Health Center of Prince George’s County, Maryland (“Cignet”) received a $4.3 million civil monetary penalty comprised of $1.3 million for Cignet’s initial HIPAA violations and $3 million for Cignet’s failure to cooperate with the OCR in its investigation. HHS imposes a $4.3 million civil money penalty for violations of the HIPAA Privacy Rule, Feb. 22, 2011, http://www.hhs.gov/news/press/2011pres/02/20110222a.html. The civil monetary penalty resulted from Cignet’s repeated failure to provide copies of medical records requested by 41 Cignet patients, many of whom wanted to seek treatment from non-Cignet providers.

Cignet made several missteps, first by failing to respond to the patients’ requests and then by ignoring requests and a subpoena from the OCR for over a year. Cignet finally produced the records when compelled to do so by a court order. However, Cignet then also produced medical records for another 4,500 patients whose records had not been requested. Cignet did not make any other efforts to resolve the matter with the OCR. HHS, Notice of Proposed Determination (Reference Nos. 09-93069, et al.), http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cignetpenaltynotice.pdf. Instead, Cignet failed to act even after receiving a Notice of Proposed Determination informing Cignet of the $4.3 million civil monetary penalty. Because Cignet did not request a hearing within 90 days of receiving the Notice of Proposed Determination, the civil monetary penalty is final and cannot be appealed. See HHS, Notice of Final Determination (Reference Nos. 09-93069, et al.), http://www.hhs.gov/ocr/privacy/hipaa/
enforcement/examples/cignetpenaltyletter.pdf; 45 C.F.R. §§ 160.422, 160.504, 160.548.

The press release announcing the civil monetary penalty signaled that the ramped-up enforcement will continue. HHS Secretary Kathleen Sebelius stated: “The U.S. Department of Health and Human Services is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule.” Additionally, the release quoted OCR Director Georgina Verdugo: “Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements. The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.” HHS imposes a $4.3 million civil money penalty for violations of the HIPAA Privacy Rule, Feb. 22, 2011, http://www.hhs.gov/news/press/2011pres/02/20110222a.html .

The $1 Million Settlement
In keeping with this approach, the OCR also reached a $1 million settlement with Massachusetts General Hospital (“Massachusetts General”) for HIPAA violations in February. Mass General Hospital Settles Potential HIPAA Violations, Feb. 24, 2011, http://www.hhs.gov/ocr/privacy/hipaa/news/mghnews.html .

A Massachusetts General employee took documents containing the protected health information of 192 patients, including patients with HIV/AIDS, home with her to do work over the weekend. During her commute back to work, the employee left the documents, uncovered and bound by a rubber band, on the subway. The documents were never recovered and contained patient names, medical record numbers, birth dates, health insurer identification and policy numbers, diagnoses, and provider names. HHS, Resolution Agreement at 1, http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/massgeneralracap.pdf. Massachusetts General did not report the incident to the OCR, which became involved after a patient whose protected health information was lost filed a complaint. Mass General Hospital Settles Potential HIPAA Violations, Feb. 24, 2011, http://www.hhs.gov/ocr/privacy/
hipaa/news/mghnews.html. As part of the settlement, Massachusetts General agreed to implement a comprehensive set of policies and procedures to safeguard protected health information. HHS, Resolution Agreement at 2, Appendix A.

When announcing the settlement, OCR noted: “[a] robust compliance program [that] includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents” is required for effective HIPAA compliance. Mass General Hospital settles potential HIPAA violations, Feb. 24, 2011, http://www.hhs.gov/news/press/2011pre
s/02/20110224b.html.

Word to the Wise
While the HIPAA Privacy Rule’s basic requirements – protect individually identifiable patient information from inappropriate use and disclosure and allow patients to access their records upon request – are well established, health care providers and their counsel now have even more reason to ensure providers’ compliance with HIPAA and related laws. HHS has made clear that the days of a slap on the wrist for HIPAA violations are over. HHS has further stated that it expects providers to have a comprehensive program, including adequate written policies, staff training, and effective monitoring, in place to ensure compliance.

Additionally, in both cases, the initial HIPAA violations were brought to light by aggrieved patients rather than by the providers themselves. It is clear that the civil monetary penalty imposed upon Cignet would not have been as large had Cignet not stonewalled the OCR. Although not explicitly stated, it is also likely that the civil monetary penalty for Cignet’s initial violation and Massachusetts General’s settlement would not have been as large had Cignet and Massachusetts General reported the incidents to the OCR with a plan to correct the violations and prevent similar violations from occurring in the future.

Learning from these examples, health care providers and their counsel should look closely at the providers’ medical privacy and patient access policies and procedures, as well as their training programs and response plans, to ensure that they address all issues that may arise under HIPAA or related state privacy laws. Moreover, prompt and effective action following any potential violation and cooperation with the OCR’s investigation of complaints are necessary.

Carrie Hanger is an associate in the Health Care Practice Group of Smith Moore Leatherwood, LLP. She can be reached at carrie.hanger@smithmoorelaw.com or (336) 378-5346.

Views and opinions expressed in articles published herein are the authors' only and are not to be attributed to this newsletter, the section, or the NCBA unless expressly stated. Authors are responsible for the accuracy of all citations and quotations.