South Florida Hospital News
Tuesday February 18, 2020

test 2

June 2011 - Volume 7 - Issue 12




A New Era of HIPAA Compliance: HHS Actions Suggest Increased HIPAA Enforcement

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights recently imposed its first-ever civil money penalty (CMP) for violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule for $4.3 million. Shortly after imposing the $4.3 million penalty, HHS announced another settlement for a health care entity’s potential HIPAA Privacy Rule violation for $1 million. These back-to-back HHS enforcement actions indicate that HHS is taking HIPAA violations seriously, and health care providers should take heed.

Cignet Health: Penalized for Willful Neglect
In February 2011, HHS imposed a CMP of $4.3 million on Cignet Health of Prince George’s County, Md., (Cignet). The HIPAA Privacy Rule requires that health care entities subject to HIPAA’s requirements provide patients with copies of their medical records within 30 days (and no later than 60 days) of a patients’ request. HHS found that Cignet violated 41 patients’ rights by denying them access to their medical records between September 2008 and October 2009. HHS imposed a CMP of $1.3 million for these violations.
Furthermore, health care entities are required by law to cooperate with HHS investigations. Cignet initially refused to respond to HHS demands to produce medical records, and failed to cooperate with HHS investigations. Additionally, Cignet made no efforts to resolve the complaints through informal means. HHS ultimately found that Cignet willfully neglected to comply with the HIPAA Privacy Rule, and failed to cooperate with HHS investigations during 2009 and 2010. HHS imposed an additional $3 million in penalties ($1.5 million for each year during which violations occurred) for these violations.      
The authority for HHS’s imposition of the additional $3 million penalty arises from section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act, a provision which amended the penalty amounts established under HIPAA for Privacy Rule violations occurring on or after February 18, 2009. Prior to February 18, 2009, HHS was authorized to impose CMPs of up to $100 for each violation. The total amount imposed on a health care entity for violations of an identical requirement or prohibition during a calendar year could not exceed $25,000. However, under section 13410(d) of the HITECH Act, HHS is now authorized to impose CMPs ranging from not less than $100 to more than $50,000 for each violation. In addition, the total amount imposed on a health care entity for violations of an identical requirement or prohibition during a calendar year has been increased from $25,000 to $1.5 million.
Massachusetts General Hospital: Settling Potential Violations
Shortly after the CMP was imposed against Cignet, HHS announced another health care entity had paid $1 million for potential HIPAA Privacy Rule violations. A Massachusetts General Hospital (MGH) employee removed documents from MGH containing protected health information in order to work on the documents from home. The employee had the documents held together by a rubber band and accidentally left the documents on the subway while commuting. The documents were never recovered, and contained the protected health information of 192 patients, including the information of patients with HIV/AIDS.
HHS’s investigation indicated that MGH failed to implement reasonable, appropriate safeguards to protect the privacy of protected health information and impermissibly disclosed the information, potentially violating provisions of HIPAA. MGH agreed to settle the potential HIPAA violations by paying $1 million and by entering into a Corrective Action Plan (CAP). The CAP requires Mass General to (1) develop and implement policies and procedures that adequately safeguard protected health information, (2) train employees on the new policies, and (3) render semi-annual reports to HHS for a 3-year period.
HHS stated that a robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to potential HIPAA violations. It is evident from the MGH example that HHS intends to impose harsh penalties on health care entities for HIPAA violations, despite the inadvertent nature of violations.
Comprehensive HIPAA training programs should be administered to all employees in accordance with current legal requirements, and all such training should be thoroughly documented.
Gabriel L. Imperato is the Managing Partner of the Fort Lauderdale office of Broad and Cassel. He can be reached by calling (954) 745-5223 or by e-mail at
Share |