Although the applicable regulatory provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have been the law for nearly a decade, until recently, violations resulted in few, if any, consequences. In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) strengthened provisions for civil monetary enforcement, but enforcement action has been minimal. Recently, however, the federal government stepped into the ring in a big way. The United States Department of Health and Human Services (DHHS) Office for Civil Rights (OCR), the agency responsible for receiving complaints about HIPAA violations and for imposing civil monetary penalties, has fired two shots across health providers' bows – these penalties will be stiff and begin with a $4.3 million penalty and a $1 million settlement.
On February 4, 2011, OCR issued a notice of final determination imposing a civil penalty of more than $4.3 million on Cignet Health Center of Prince George's County, Maryland (Cignet). An initial penalty of $1.3 million was based upon Cignet's alleged failure to allow 41 patients to access their own medical records. The press release noted that Cignet refused to cooperate with OCR during its investigation, which resulted in an additional civil monetary penalty of $3 million.
In a separate incident, on February 24, 2011, DHHS announced a $1 million settlement for an alleged HIPAA privacy violation involving General Hospital Corporation and Massachusetts General Physicians Organization, Inc. (Mass General). Mass General agreed to pay a million dollars after an employee left documents that contained the protected health information of 192 patients on a subway train. A substantial portion of these records included the patients' names, diagnoses (some including HIV status), and other personal information, but were never recovered. Mass General also adopted a corrective action plan, agreeing to develop appropriate policies and procedures, train its workforce, and to implement an internal monitoring program for three years. DHHS explained that a "robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents" is required for effective HIPAA compliance.
Health care providers are familiar with the HIPAA privacy rule's basic tenets –individually identifiable patient information is protected from inappropriate use and disclosure and patients are permitted access to their records upon request. The laws of many states enhance HIPAA's privacy protections, further limiting the manner in which this information can be used and disclosed and who may access it. These laws can present additional risks to health care providers. For example, patients have sued providers based upon the invasion of their privacy rights and have attempted to utilize HIPAA to create a private right of action. Additionally, many states have adopted identity theft protection statutes, which prohibit unauthorized disclosure of personal or financial information. These statutes often mandate reporting a privacy breach to the affected individuals, the local or state law enforcement agencies, and often impose credit monitoring obligations in addition to HIPAA's reporting obligations. Many statutes also create a private right of action for individuals whose personal information is disclosed, sometimes with the potential for treble or punitive damages.
DHHS has stated explicitly that it envisions a comprehensive compliance program, including adequate written policies, staff training, and an effective monitoring program. Health care providers should carefully evaluate their medical privacy and patient access policies and procedures, as well as their training programs and response plans, to ensure that they address all issues that may arise under HIPAA or related state laws. Further, prompt and effective action is necessary following any potential violation.