The 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act) significantly expanded the privacy and security obligations associated with the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA privacy regulations (collectively, HIPAA Privacy Rule) restrict the use, access and disclosure of protected health information (PHI) and other individually identifiable health care information.
Among other things, the HITECH Act gave the U.S. Department of Health and Human Services Office of Civil Rights (OCR) broad enforcement power for violations of the HIPAA Privacy Rule occurring as a result of willful neglect. OCR can now impose civil monetary penalties of up to $50,000 per violation. Notably, the HITECH Act also expanded enforcement authority vis-à-vis “business associates” — service providers who handle PHI on behalf of covered entities. For purposes of HIPAA, “covered entities” include health care providers, health care plans and healthcare clearinghouses. “Business associates” broadly include all entities that use or have access to PHI because they provide services to, or on behalf of, covered entities.
OCR has recently imposed substantial monetary penalties in connection with HIPAA Privacy Rule violations, evidencing its willingness to assert its expanded statutory enforcement authority aggressively. The first of such civil monetary penalties was imposed by OCR on February 22, 2011. OCR issued a Notice of Final Determination to Cignet Health (Cignet) pursuant to which OCR fined Cignet $4,300,000 — or $105,000 per record — in connection with Cignet’s refusal to allow 41 patients access to their medical records and Cignet’s failure to cooperate with OCR’s related investigation. Significantly, the civil monetary penalty imposed in connection with Cignet’s failure to provide patients with their requested medical records accounted for only $1,300,000 of the fine. The additional $3,000,000 was imposed as a result of Cignet’s willful neglect in connection with the related investigation.
Following on the heels of the Cignet decision, on February 24, 2011, OCR announced that the General Hospital Corporation and Massachusetts General Physicians Organization (Mass General) must pay a civil monetary penalty of $1,000,000 in connection with the loss of PHI of 192 Mass General patients. The loss occurred as the result of a Mass General employee leaving hard-copy records containing PHI on the subway. OCR determined that Mass General had violated the HIPAA Privacy Rule by failing to implement reasonable and appropriate safeguards to protect the privacy of PHI.
When announcing the Mass General Resolution Agreement, OCR Director Georgina Verdugo stated: “[w]e hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information.” She added that covered entities (and, by implication, their business associates) must always be in compliance with the HIPAA Privacy and Security Rules. “A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”
The increased potential for significant financial penalties means that it is imperative covered entities and business associates remain vigilant with regard to their HIPAA compliance obligations. Although these OCR investigations involved covered entities, the HITECH Act expanded the coverage of HIPAA to include business associates. Thus, any entity that stores, processes or otherwise manages PHI is also at risk of incurring civil monetary penalties in connection with violations of the HIPAA Privacy Rule.