HIPAA Enforcement Steps UpTwo High-Profile Privacy Cases Gain Attention
The most powerful way to help ensure HIPAA compliance is for some organizations to get hit with well-publicized penalties. These two new cases, and perhaps others to come, could be powerful compliance catalysts. And one case shows just how costly "willful neglect" to comply with HIPAA can be.
In the willful neglect case, Cignet Health was slapped with a $4.3 million civil monetary penalty, the first of its kind, for violations of the HIPAA privacy rule, including failure to cooperate with investigators, according to the Department of Health and Human Services.
Clearly the time has come to make sure your organization is taking all the necessary steps to be fully HIPAA compliant.
The group of four clinics in Maryland failed to provide 41 patients with access to their medical records. Then Cignet failed to cooperate with HHS Office for Civil Rights investigations from March 2009 to April 2010, constituting willful neglect, according to HHS.
The HITECH Act created higher fines for HIPAA violations, especially for those involving willful neglect. And those higher fines were issued in this case. That's significant, given that the final version of the rule carrying out the tougher enforcement provisions has yet to be published.
In the other HIPAA case announced last week, one of the nation's largest academic medical centers, Massachusetts General Hospital, agreed to a $1 million settlement as part of a broader resolution agreement. The hospital also agreed to take corrective action to avoid future violations. The case involved a staff member losing paper documents on a subway; the files on 192 patients included information on those with HIV/AIDS.
HIPAA Lessons LearnedA key lesson from these two cases is this: It pays to cooperate with federal investigators.
And clearly the time has come to make sure your organization is taking all the necessary steps to be fully HIPAA compliant. That includes educating your staff about your privacy policies (such as how to protect patient information that's removed from a hospital), conducting a comprehensive risk assessment and taking steps to mitigate risks.
Unfortunately, another important component of the HIPAA enforcement strategy, as mandated by the HITECH Act, is still stalled. At the Healthcare Information and Management Systems Society Conference last week, Adam Greene of the HHS Office for Civil Rights said the office is still studying its strategic options for a HIPAA compliance audit program.
OCR, which hired the consulting firm Booz Allen Hamilton to help design the auditing program, "is still working through what will give us the most bang for the buck," Greene said. For example, it's still weighing whether to audit a random sample of healthcare organizations or "going wider," he said, declining to pinpoint when the audit program might kick in.
Greene also reiterated that the final version of rules to modify HIPAA privacy, security and enforcement rules will be issued at the same time as a final version of the breach notification rule. But again, he wouldn't say when those rules would be unveiled, other than to say they would be issued this year.
Nevertheless, last week's two high-profile HIPAA cases make one thing clear: Federal officials aren't letting the pending regulations and audits stop them from moving ahead with enforcement.
It will be interesting to find out how many of the more than 240 major health information breach cases reported to OCR since the HITECH breach notification rule took effect in September 2009 result in resolution agreements, civil monetary penalties or other high-profile enforcement actions.
Meanwhile, if you're looking for ammunition to help win funding for security and privacy initiatives, show your CEO and board members the news about the two recent HIPAA cases and alert them to the upcoming audits as well. That should help.