Trend Alert: Dept. of Health More Aggressively Enforcing HIPAA

Published: March 9, 2011

The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) recently imposed its first civil monetary penalty (CMP) for a violation of the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) since the rule went into effect in 2003. The action signifies a shift in how the OCR approaches HIPAA enforcement.

Historically, the OCR’s approach to Privacy Rule violations has been passive – but that has started to change, Becker’s Hospital Review reports. To ensure compliance and avoid hefty fines, hospitals should revisit their compliance documents, update them and conduct training. Hospital officials should also plan to conduct retraining regularly.    

Recently, the OCR fined Cignet Health of Prince George’s County, Md., $4.3 million for its violations of the Privacy Rule. The OCR found that Cignet had violated the rights of 41 patients by denying them access to their medical records when requested between September 2008 and October 2009, according to a HHS press release.  

HIPAA requires that a covered entity provide patients with a copy of their medical records within 30 – and no later than 60 – days of the request. The CMP for these types of violations by Cignet was $1.3 million according to the violation categories and increased penalty amounts authorized in the Health Information Technology for Economic and Clinical Health (HITECH) Act. The OCR also found that Cignet failed to cooperate with the investigation by refusing to respond to the OCR’s demands to produce the records between March 17, 2009 and April 7, 2010. The CMP for these violations amounted to $3 million.

——Article Continues Below——

Get the latest industry news and research delivered directly to your inbox.

Only two days after the penalties against Cignet were announced, OCR broke the news of a $1 million settlement against Massachusetts General Hospital, HealthLeaders Media reports. The hospital lost 192 patient records belonging to its Infectious Disease Associates outpatient practice.

Greg Young, a security officer at Mammoth Hospital in Mammoth Lakes, Calif., told HealthLeaders Media that during an OCR investigation of claims made by a former employee, Young kept all communications and audit access logs in an electronic file so that he was able to give the OCR copies of the information on demand. It paid off: the OCR concluded that the former employee’s records had not been accessed incorrectly as he had claimed.

Kimberly J. Kannensohn, a partner with the healthcare practice at McGuireWoods, told Becker’s Hospital Review that under HIPAA, a complaint can be filed by anyone – patients, relatives of a patient, or even a current or former employee. Hospitals need to increase security, vigilance and HIPAA compliance to avoid investigation or liability.  

Related Articles:

Posted in: News

Tagged with: Fines, HIPAA, HITECH, Privacy

ADVERTISEMENT
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series