HIPAA Enforcement Escalates -- What Does This Mean for the Healthcare Industry?
By Shannon Hartsfield Salimone, Holland & Knight LLP, Tallahassee, Florida
For many years, HIPAA enforcement activities were minimal, or did not result in significant penalties, giving many covered entities a false impression that HIPAA compliance need not be a priority. All of that changed, however, in February of 2011 when the Department of Health and Human Services (HHS) announced HIPAA settlements and penalties totaling $5.3 million, involving two different covered entities.
The February 2011 Cases
The two cases announced in February both involved significant monetary amounts, but the facts and circumstances were quite different. On February 22, HHS announced1 the first civil money penalty for violations of the HIPAA Privacy Rule. The $4,351,600 fine was based on the increased penalties set forth in the HITECH Act.2 OCR's Notice of Proposed Determination,3 referenced in the February 4 Final Notice,4 states, in part, that Cignet Health of Prince George's County, Maryland (Cignet) failed to provide medical records to 41 individuals after requests for records were received by Cignet. The notice states that Cignet did not respond to OCR's numerous attempts to contact the company, and failed to respond to a subpoena. After a court ordered Cignet to produce a copy of the complete medical records for 11 individuals, Cignet, according to the OCR notice, delivered 59 boxes of original medical records to the Department of Justice, containing records of, not only the individuals listed in the subpoena, but also the records of approximately 4,500 other individuals who were not the subject of any OCR request.
Two days later, OCR announced5 its settlement agreement with the General Hospital Corporation and Massachusetts General Physicians Organization Inc. (Mass General) to pay $1 million for alleged violations. In a Resolution Agreement signed on February 14, 2011,6 OCR alleged HIPAA violations stemming from a Mass General employee who removed documents containing protected health information (PHI) from Mass General’s premises in order to work on them at home. The employee inadvertently left these documents containing PHI on the subway exposed to the public. Without any finding of liability, Mass General agreed to make the $1 million payment to HHS and to enter into a three year Corrective Action Plan (CAP).7 Mass General's obligations under the CAP include developing and/or revising written policies and procedures regarding the physical removal and transport of PHI, laptop encryption, and USB drive encryption. Details of the CAP also would require workforce members to read, learn about and abide by these policies. Mass General has agreed that it will assess and revise the policies, as necessary, on an annual basis.
What Should Covered Entities Be Doing Now?
Based on the outcome of the Cignet case, covered entities should take note of the importance of responding promptly and appropriately to OCR requests. The alleged failure to cooperate and the finding by OCR that Cignet’s actions constituted willful neglect undoubtedly played a role in OCR's decision to impose a significant civil money penalty.
The Mass General case is based on very different circumstances, which likely played a role in the lower dollar amount Mass General was required to pay in connection with the settlement. It is difficult, if not impossible, for a covered entity to completely insulate itself against a situation like the one that faced by Mass General. Employees sometimes commit errors when dealing with PHI. What covered entities must do, however, is to try to minimize harm by ensuring that all employees are trained to treat PHI with great care.
In a press release regarding the Mass General settlement, Office for Civil Rights (OCR) Director Georgina Verdugo stated, "[w]e hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity's responsibility to protect its patients' health information." Covered entities and business associates will continue to receive OCR inquiries related to complaint investigations. Detailed enforcement statistics are available through the OCR website.8
Some covered entities and business associates are waiting for the final HITECH rules to be published before making major changes to policies and procedures. Because of recent enforcement activity, however, this is an excellent time for covered entities and business associates to review their existing compliance programs. Some OCR investigators are expecting to see very detailed policies and procedures that address the particular risks an entity faces. For example, in its list of enforcement cases on its website,9 OCR discusses a hospital that was required to implement new policies addressing the use of the minimum amount of information necessary when employees leave telephone messages for patients. Healthcare entities should perform risk analyses as well as review their policies and procedures to identify areas that may need to be changed or augmented to address particular risks to PHI.
Entities subject to HIPAA should also review their employee training programs, and determine whether it is time for updated training. The current privacy and security rules require covered entities to train workforce members as well as provide periodic security reminders. It is critical to sensitize employees to the potential consequences of improper uses or disclosures of PHI. As illustrated by these cases, PHI must be handled with great care, and entities must respond to OCR inquiries adequately. Increased enforcement activity re-emphasizes the need to take HIPAA compliance seriously.
The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.