• Hefty Fines Issued for HIPPA Violations
  • April 15, 2011 | Authors: Bradley V. Martorana; Richard C. Smith
  • Law Firm: Jennings, Strouss & Salmon, P.L.C. - Phoenix Office
  • Within a couple of days apart, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued civil money penalties (CMPs) to two covered entities for failure to comply with the Health Insurance Portability and Accountability Act's (HIPPA) privacy rule.

    On February 22, 2011, OCR fined Cignet Health of George's County, Md. (Cignet) $4.3 million for failure to provide patients access to medical records within the allotted time frame required by HIPPA. This first-ever imposed penalty was a result of what the OCR claims was Cignet's "willful neglect" to provide 41 patients access to their medical records within 30 to 60 days of the submitted requests. These violations occurred between September 2008 and October 2009.

    OCR Director Georgina Verdugo stated in a news release, "Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA's requirements." Verdugo also indicated that the HHS will continue to investigate and take action against organizations that knowingly disregard their obligations under the HIPPA privacy rules.

    In addition to the direct violations of HIPPA privacy rules, the OCR claimed that Cignet failed to cooperate with its investigations into the violation claims and provide records in response to the OCR's subpoena. HIPPA covered entities are required to cooperate with HHS investigations; however, Cignet only produced the medical records after the OCR filed a petition to enforce its subpoena in U.S. District Court and obtained a default judgment.

    Two days after the Cignet fines were issued, the OCR executed a $1 million resolution agreement with The General Hospital Corporation and Massachusetts General Physicians Organization Inc. (Mass General). After an investigation, the OCR determined that Mass General was liable for the privacy rule violation made by an employee who left documents containing protected health information (PHI) related to 192 patients on a subway train.

    The HIPPA privacy rule requires that covered entities protect the privacy of patient information through administrative, physical and technical safeguards at all time. Director Verdugo indicated that the OCR investigation revealed that Mass General failed to establish reasonable and appropriate safeguards to protect the privacy of sensitive information when it was removed from the hospital's premises.

    As part of the resolution agreement, Mass General entered into a Corrective Action Plan, which includes the development and implementation of a comprehensive set of policies and procedures that ensure patient information is protected when removed from the hospital; training of staff members on these policies and procedures; and designating the director of internal audit services of Partners Healthcare System Inc., the hospital's parent company, to serve as an internal monitor to assess the hospital's compliance with the corrective action plan and submit semi-annual reports to HHS for three years.

    "To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules," said Verdugo. "A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents."