Business Workshop: HITECH Ushers in Era of Higher Penalties Under HIPAA
Share with others:
Two recent cases suggest we have entered a new era of more stringent enforcement of HIPAA's privacy and security standards.
For the first time, the Office for Civil Rights (OCR) at the Department of Health and Human Services, which is charged with enforcing HIPAA's privacy and security standards, has imposed a civil money penalty under HIPAA, or the Health Insurance Portability and Accountability Act.
In a press release from February, OCR announced that Cignet Health of Maryland was fined a total of $4.3 million for ignoring requests for medical records from 41 individuals and for failing to cooperate with OCR's investigation of 27 related complaints.
Two days later, OCR announced a $1 million settlement with Massachusetts General Hospital after an employee left documents containing patients' health information on the subway. OCR's investigation indicated that the hospital "failed to implement reasonable, appropriate safeguards to protect the privacy of protected health information."
In 2009, the Health Information Technology and Clinical Health Act (HITECH) significantly increased the potential monetary penalties for HIPAA violations to a minimum of $100 to $50,000 per day, up to a maximum of $1.5 million for the same violation in any one year.
The new penalty setup provides for tiered penalty amounts based on the nature and extent of the violations, the nature and extent of the resulting harm, and the violator's history of compliance. OCR has said that the failure of an organization to implement adequate privacy and security policies may cause investigators to conclude that the organization has a higher level of culpability, and result in a higher penalty.
These cases demonstrate the importance of adopting adequate written privacy and security policies and procedures; training employees on HIPAA's requirements; monitoring compliance and acting quickly to mitigate any damage resulting from a breach; and cooperating with OCR investigations.
Even the minimum penalties under HIPAA can add up quickly, and by its recent actions OCR has indicated that it will not tolerate a lack of seriousness when it comes to HIPAA compliance.
-- Lauren B. Licastro (llicastro@morganlewis.com) is with Morgan, Lewis & Bockius LLP
First Published May 23, 2011 12:00 am
