Within a couple of days apart, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued civil money penalties (CMPs) to two covered entities for failure to comply with the Health Insurance Portability and Accountability Act's (HIPAA) privacy rule.
On February 22, 2011, OCR fined Cignet Health of George's County, Md. (Cignet) $4.3 million for failure to provide patients access to medical records within the allotted time frame required by HIPAA. This first-ever imposed penalty was a result of what the OCR claims was Cignet's "willful neglect" to provide 41 patients access to their medical records within 30 to 60 days of the submitted requests. These violations occurred between September 2008 and October 2009.
OCR Director Georgina Verdugo stated in a news release, "Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA's requirements." Verdugo also indicated that the HHS will continue to investigate and take action against organizations that knowingly disregard their obligations under the HIPAA privacy rules.
In addition to the direct violations of HIPAA privacy rules, the OCR claimed that Cignet failed to cooperate with its investigations into the violation claims and provide records in response to the OCR's subpoena. HIPAA covered entities are required to cooperate with HHS investigations; however, Cignet only produced the medical records after the OCR filed a petition to enforce its subpoena in U.S. District Court and obtained a default judgment.
Two days after the Cignet fines were issued, the OCR executed a $1 million resolution agreement with The General Hospital Corporation and Massachusetts General Physicians Organization Inc. (Mass General). After an investigation, the OCR determined that Mass General was liable for the privacy rule violation made by an employee who left documents containing protected health information (PHI) related to 192 patients on a subway train.
The HIPAA privacy rule requires that covered entities protect the privacy of patient information through administrative, physical and technical safeguards at all time. Director Verdugo indicated that the OCR investigation revealed that Mass General failed to establish reasonable and appropriate safeguards to protect the privacy of sensitive information when it was removed from the hospital's premises.
As part of the resolution agreement, Mass General entered into a Corrective Action Plan, which includes the development and implementation of a comprehensive set of policies and procedures that ensure patient information is protected when removed from the hospital; training of staff members on these policies and procedures; and designating the director of internal audit services of Partners Healthcare System Inc., the hospital's parent company, to serve as an internal monitor to assess the hospital's compliance with the corrective action plan and submit semi-annual reports to HHS for three years.
"To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules," said Verdugo. "A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents."
Each case a business or individual may face is unique and may require legal advice. If you would like additional information regarding the content of this article or the variety of services Jennings Strouss provides to our health care clients please contact Fred Cummings.
Richard C. Smith is a member of the Tax, Estate Planning & Probate Departments and represents clients in all aspects of tax, corporate and business planning. His practice has a particular emphasis in the employee benefits area including the design, implementation and other aspects of pension, profit sharing and other qualified plans. He also advises clients in estate planning matters, including estate plans, wills, trust and family partnership agreements. He represents many physicians' practices and handles health care matters for them. Contact Mr. Smith at email@example.com or 602.262.5972.
Bradley V. Martorana is an Associate attorney focusing his practice on corporate, healthcare,tax and securities law. His practice includes counseling corporations, limited liability companies and partnerships as to the tax and non-tax consequences of formation, operation, compensation and other commercial transactions. He also advises buyers and sellers in mergers, acquisitions, reorganizations and other restructurings and represents issuers and investors in private placements of equity and debt securities. Mr. Martorana also advises on a variety of other business and real estate matters. Contact Mr. Martorana at firstname.lastname@example.org or 602-262-5958.