Trend Alert: Dept. of Health More Aggressively Enforcing HIPAA

The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) recently imposed its first civil monetary penalty (CMP) for a violation of the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) since the rule went into effect in 2003. The action signifies a shift in how the OCR approaches HIPAA enforcement.

Historically, the OCR’s approach to Privacy Rule violations has been passive – but that has started to change, Becker’s Hospital Review reports. To ensure compliance and avoid hefty fines, hospitals should revisit their compliance documents, update them and conduct training. Hospital officials should also plan to conduct retraining regularly.    

Recently, the OCR fined Cignet Health of Prince George’s County, Md., $4.3 million for its violations of the Privacy Rule. The OCR found that Cignet had violated the rights of 41 patients by denying them access to their medical records when requested between September 2008 and October 2009, according to a HHS press release.  

HIPAA requires that a covered entity provide patients with a copy of their medical records within 30 – and no later than 60 – days of the request. The CMP for these types of violations by Cignet was $1.3 million according to the violation categories and increased penalty amounts authorized in the Health Information Technology for Economic and Clinical Health (HITECH) Act. The OCR also found that Cignet failed to cooperate with the investigation by refusing to respond to the OCR’s demands to produce the records between March 17, 2009 and April 7, 2010. The CMP for these violations amounted to $3 million.

Only two days after the penalties against Cignet were announced, OCR broke the news of a $1 million settlement against Massachusetts General Hospital, HealthLeaders Media reports. The hospital lost 192 patient records belonging to its Infectious Disease Associates outpatient practice.

Greg Young, a security officer at Mammoth Hospital in Mammoth Lakes, Calif., told HealthLeaders Media that during an OCR investigation of claims made by a former employee, Young kept all communications and audit access logs in an electronic file so that he was able to give the OCR copies of the information on demand. It paid off: the OCR concluded that the former employee’s records had not been accessed incorrectly as he had claimed.

Kimberly J. Kannensohn, a partner with the healthcare practice at McGuireWoods, told Becker’s Hospital Review that under HIPAA, a complaint can be filed by anyone – patients, relatives of a patient, or even a current or former employee. Hospitals need to increase security, vigilance and HIPAA compliance to avoid investigation or liability.  

Related Articles:

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century

This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!

Get Our Newsletters
Campus Safety Conference promo