The Security Scrutinizer with Howard Anderson

HIPAA Enforcement Steps Up

Two High-Profile Privacy Cases Gain Attention
HIPAA Enforcement Steps Up

Two high-profile announcements of penalties for HIPAA privacy rule violations last week came as good news for those of us who've been waiting for enforcement efforts to ramp up.

The most powerful way to help ensure HIPAA compliance is for some organizations to get hit with well-publicized penalties. These two new cases, and perhaps others to come, could be powerful compliance catalysts. And one case shows just how costly "willful neglect" to comply with HIPAA can be.

In the willful neglect case, Cignet Health was slapped with a $4.3 million civil monetary penalty, the first of its kind, for violations of the HIPAA privacy rule, including failure to cooperate with investigators, according to the Department of Health and Human Services.

The group of four clinics in Maryland failed to provide 41 patients with access to their medical records. Then Cignet failed to cooperate with HHS Office for Civil Rights investigations from March 2009 to April 2010, constituting willful neglect, according to HHS.

The HITECH Act created higher fines for HIPAA violations, especially for those involving willful neglect. And those higher fines were issued in this case. That's significant, given that the final version of the rule carrying out the tougher enforcement provisions has yet to be published.

In the other HIPAA case announced last week, one of the nation's largest academic medical centers, Massachusetts General Hospital, agreed to a $1 million settlement as part of a broader resolution agreement. The hospital also agreed to take corrective action to avoid future violations. The case involved a staff member losing paper documents on a subway; the files on 192 patients included information on those with HIV/AIDS.

HIPAA Lessons Learned

A key lesson from these two cases is this: It pays to cooperate with federal investigators.

And clearly the time has come to make sure your organization is taking all the necessary steps to be fully HIPAA compliant. That includes educating your staff about your privacy policies (such as how to protect patient information that's removed from a hospital), conducting a comprehensive risk assessment and taking steps to mitigate risks.

Unfortunately, another important component of the HIPAA enforcement strategy, as mandated by the HITECH Act, is still stalled. At the Healthcare Information and Management Systems Society Conference last week, Adam Greene of the HHS Office for Civil Rights said the office is still studying its strategic options for a HIPAA compliance audit program.

OCR, which hired the consulting firm Booz Allen Hamilton to help design the auditing program, "is still working through what will give us the most bang for the buck," Greene said. For example, it's still weighing whether to audit a random sample of healthcare organizations or "going wider," he said, declining to pinpoint when the audit program might kick in.

Greene also reiterated that the final version of rules to modify HIPAA privacy, security and enforcement rules will be issued at the same time as a final version of the breach notification rule. But again, he wouldn't say when those rules would be unveiled, other than to say they would be issued this year.

Nevertheless, last week's two high-profile HIPAA cases make one thing clear: Federal officials aren't letting the pending regulations and audits stop them from moving ahead with enforcement.

It will be interesting to find out how many of the more than 240 major health information breach cases reported to OCR since the HITECH breach notification rule took effect in September 2009 result in resolution agreements, civil monetary penalties or other high-profile enforcement actions.

Meanwhile, if you're looking for ammunition to help win funding for security and privacy initiatives, show your CEO and board members the news about the two recent HIPAA cases and alert them to the upcoming audits as well. That should help.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.