The last week of February 2011 will likely be remembered as a noteworthy milestone in the history of HIPAA privacy enforcement by the Department of Health and Human Services (“HHS”). Showing that HHS intends to vigorously exercise the expanded civil monetary penalty enforcement provisions enacted in 2009 under the Health Information Technology for Economic and Clinical Health Act (“HITECH”), HHS announced that it reached significant resolutions of two cases of alleged HIPAA privacy violations by covered entities. In the first announcement on February 22, HHS disclosed it has required Cignet Health to pay $4.3 million in civil monetary penalties (“CMPs”) for failing to comply with patient requests to access their health records (protected health information, or “PHI”), and for failing to cooperate in the resulting HIPAA enforcement investigation by the HHS Office of Civil Rights. In addition to drawing attention to HHS’ intent to exercise its expanded powers under HITECH, the case sends a message that failure to take seriously the specific requirements of HIPAA privacy regulations and honor patient requests in a diligent and timely manner can result in significant financial exposure to covered entities and their business associates. Of the total $4.3 million CMP imposed against Cignet Health, $3 million was related solely to the company’s alleged failure to cooperate in the HIPAA investigation. While such an amount could potentially be avoided or mitigated by organizations that diligently and thoroughly cooperate in any investigation of alleged HIPAA violations, the remaining $1.3 million imposed against the organization indicates the vigorous approach that could be taken by HHS in the future with respect to enforcing patients’ privacy rights.
Two days after the announcement of the $4.3 million CMP against Cignet Health, HHS announced on February 24 that it had reached a resolution agreement with The General Hospital Corporation and its affiliate Massachusetts General Physicians Organization, Inc. (“Mass General”) regarding the loss of 192 paper files containing PHI of Mass General outpatients. The files, which were mistakenly left on a subway train by an employee while commuting, contained billing records with the name, date of birth, medical record number, health insurer and policy number, diagnosis, and name of provider for 66 patients. Also left on the train were daily office schedules for three days that contained the names and medical record numbers for 192 patients. HHS found that Mass General failed to implement reasonable and appropriate standards to protect the privacy of PHI when removed from its facilities. Mass General agreed to pay $1 million to resolve the matter, but perhaps just as significant as the large civil penalty is the agreement by Mass General to adhere to a three-year corrective action plan, requiring it to develop and present for HHS approval new privacy and data security policies and procedures intended to address the administrative, technical and physician safeguards required under the HIPAA regulations, and to train all employees within 90 days of HHS approval of such policies. The agreement also requires Mass General to appoint an internal monitor for the corrective action plan, who must report to HHS semi-annually the results of its monitoring and any “Reportable Events” under the agreement. In a requirement of which all covered entities and business associates should take notice, the resolution agreement requires Mass General to issue a communication to all employees prohibiting them from physically removing PHI from facility premises, except for the performance of their job duties and only if reasonable and appropriate steps are taken to safeguard the confidentiality of the PHI removed.