Vigorous HIPAA Privacy Rule enforcement
With the announcements of Cignet’s $4.3 million civil monetary penalties and two recent resolution payments, HHS’ Office of Civil Rights sent a clear message that it is serious about enforcement of HIPAA’s Privacy Rule. Therefore, covered entities should ensure that they have a robust HIPAA compliance program including employee training, vigilant implementation of policies and procedures, internal audits and a prompt action plan to respond to incidents.
Background
The Health Insurance Portability and Accountability Act’s (HIPAA’s) Privacy Rule is a set of federal standards to protect the privacy of medical records and other health information maintained by covered entities. These standards provide patients with access to their medical records and with significant control over how their personal health information (PHI) is used and disclosed.
The U.S. Department of Health and Human Services (HHS) delegated Privacy Rule enforcement to HHS’s Office of Civil Rights (OCR). For violations occurring before Feb. 18, 2009, OCR may impose civil monetary penalties (CMP) of up to $100 for each such violation. That penalty may not exceed $25,000 per year for multiple violations of the identical Privacy Rule requirement in a calendar year.
For violations of the Privacy Rule occurring on or after Feb. 18, 2009, consistent with the increased penalty provisions set forth in the Health Information Technology for Economic and Clinical Health (HITECH) Act, OCR is authorized to impose a range of CMP between $100 and $50,000 for each violation, provided the total amount imposed on a covered entity for violations of an identical requirement during a calendar year may not exceed $1.5 million.
OCR enforcement
As of May 31, 2011, OCR had investigated and resolved over 13,745 cases by requiring changes in privacy practices or other corrective actions by covered entities. Of the thousands of resolved cases, HHS has entered into six Resolution Agreements and recently issued its first CMP. A Resolution Agreement is a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years. During this period, HHS monitors the covered entity’s compliance with its obligations. A Resolution Agreement likely also includes the payment of a resolution amount. These agreements are reserved to settle investigations with more serious outcomes. When HHS is not able to reach a satisfactory resolution through the covered entity’s demonstrated compliance or corrective action through other informal means, CMP may be imposed for noncompliance.
First CMP issued by OCR
On Feb. 22, 2011, OCR announced that a covered entity, Cignet Health of Prince George’s County, Maryland (Cignet), violated the Privacy Rule. OCR imposed a CMP of $4,351,600 for the violations, representing the first CMP issued by OCR for violations of the Privacy Rule. In its calculation, OCR utilized the increased penalty amounts authorized by the HITECH Act.
OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records. Each of these patients made a request to obtain their records between September 2008 and October 2009 and filed a complaint with OCR. The Privacy Rule requires that a covered entity provide patients with a copy of their medical records within 30 (and no later than 60) days of a patient request. The CMP for these violations was $1,351,600.
During OCR’s investigations, Cignet refused to respond to OCR’s repeated demands to produce the records. After OCR issued a subpoena and Cignet failed to respond to OCR, OCR filed a petition to enforce its subpoena and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet delivered 59 boxes of medical records containing not only the medical records required by the subpoena but also the medical records of approximately 4500 individuals for whom OCR made no request and for whom Cignet had no basis for the disclosure of their PHI to OCR. With the exception of such delivery, Cignet made no efforts to resolve the complaints through informal means.
Covered entities are required under law to cooperate with OCR’s investigations. OCR found that Cignet’s failure to cooperate was due to willful neglect to comply with the Privacy Rule, and the CMP for these violations was $3 million.
Cignet’s conduct with respect to the OCR investigation was extreme. However, the message is clear: covered entities should cooperate with the OCR when it is investigating a Privacy Rule complaint.
Recent resolution agreements
In a Resolution Agreement dated July 6, 2011, the University of California at Los Angeles Health System (UCLAHS) agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,000 and committed to a Corrective Action Plan (CAP). The Resolution Agreement resolved two separate complaints filed with OCR on behalf of two celebrity patients. The complaints alleged that UCLAHS employees repeatedly and impermissibly looked at these patients’ electronic PHI. As part of its investigation, OCR found that from 2005-2008 unauthorized employees repeatedly looked at the electronic PHI of numerous other UCLAHS patients. The CAP requires UCLAHS to implement Privacy and Security policies and procedures approved by OCR, to conduct trainings for all UCLAHS employees who use PHI, to sanction employees who fail to comply with the policies and procedures, and to designate an independent monitor. In its press release related to this Resolution Agreement, OCR emphasized that “trainings and meaningful [HIPAA] policies and procedures, including audit trails, [must] become part of the every day operations of any health care provider.”
On Feb. 14, 2011, OCR announced that General Hospital Corporation and Massachusetts General Physicians Organization Inc. (Mass General) signed a Resolution Agreement and agreed to pay $1 million to settle potential violations of the Privacy Rule. The facts that gave rise to the OCR investigation involved an employee of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS. In March 2009, the employee removed from Mass General premises documents containing PHI in order to work on the documents from home. The documents consisted of billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of provider of 66 patients and the practice’s daily office schedules for three days containing the names and medical record numbers of 192 patients. While commuting to work, the employee left the documents on a subway train, and the documents were not recovered.
As part of the Resolution Agreement, Mass General agreed to enter into a CAP which requires it to:
- Develop and implement a comprehensive set of policies and procedures governing the physical removal and transport of PHI, laptop encryption and USB drive encryption;
- Train workforce members on these policies and procedures; and
- Monitor Mass General’s compliance with the CAP and render semi-annual reports to HHS for a three-year period.
Comparison of Mass General to 2008 settlement
Mass General’s $1 million resolution amount was higher than expected in light of the fact that the missing records were paper records, the number of patients was relatively small and this type of data breach is not unusual. For example, in 2008, OCR entered into its first Resolution Agreement with Providence Health & Services (Providence) to settle similar potential Privacy Rule violations.
On several occasions between September 2005 and March 2006, backup tapes, optical disks and laptops, all containing unencrypted electronic PHI, were removed from Providence premises and left unattended. The media and laptops were subsequently lost or stolen, compromising the PHI of over 386,000 patients. Under the Resolution Agreement, Providence paid a $100,000 resolution amount and implemented a Corrective Action Plan that required: revising its policies and procedures regarding physical and technical safeguards (e.g., encryption), governing off-site transport and storage of electronic media containing patient information, training workforce members on the safeguards, conducting audits and site visits of facilities, and submitting compliance reports to HHS for a period of three years.
Comparing the facts and the resolution payments between Providence and Mass General, it appears that OCR has become much more vigorous in Privacy Rule enforcement.
Conclusion
In the press release related to Mass General’s settlement, OCR Director Georgina Verdugo stated, “[w]e hope the health care industry will take a close look at this [Resolution Agreement] and recognize that OCR is serious about HIPAA enforcement.” Additionally, covered entities should expect continued robust enforcement as evidenced by OCR’s request for a 13.6 percent increase in its budget for fiscal year 2012.
While Cignet’s conduct was egregious, the magnitude of recent resolution amounts and the increased CMP available under the HITECH Act are a wake up call to covered entities to review their HIPAA compliance program. HIPAA compliance programs should include training for employees who have access to and use PHI, vigilant implementation of policies and procedures, regular internal audits and a prompt action plan to respond to incidents. In light of the fact that two of the five Resolution Agreements address off-site data breaches, covered entities should pay particular attention to their HIPAA policies and procedures related to transporting, storing or using PHI off-site.
