HHS Imposes First HIPAA Civil Money Penalty of $4.3 million
Cignet Health, a health care organization in Maryland, has been assessed a $4.3 million civil monetary penalty for violating HIPAA. Although the Department of Health & Human Services (HHS) has entered into financial settlements before, this marks the first time it has issued a civil money penalty under HIPAA, and the penalty is significantly higher than previous financial settlements..
Early HIPAA enforcement—voluntary compliance
The original version of HIPAA had what many considered to be rather weak penalties. Penalties were capped at $100 per day of violation and at $25,000 for the same violation in any one year. Also, HHS took a lot of criticism for its informal enforcement of the act. Although HHS would investigate every complaint that it received, it would seek voluntary, confidential compliance agreements from those who violated the law. From 2003 through 2007, HHS never sought any financial penalties from any violators. Moreover, there were almost no details available about HHS's enforcement activity.
HHS steps up enforcement—enters into financial settlements
Responding to criticism that it wasn't doing enough to enforce HIPAA, HHS finally entered into its first financial settlement in July of 2008. That case involved Providence Health, which over a seven month period had experienced four separate incidents of lost computers and another incident involving lost backup tapes and other storage media, thus compromising information on thousands of patients. In a resolution agreement, Providence Health agreed to pay a $100,000 financial settlement to HHS and to implement a corrective action plan.
In January of 2009, HHS entered into a second financial settlement. This involved a joint investigation by HHS and the Federal Trade Commission over allegations that CVS's retail pharmacies were improperly disposing of medical information in unsecured dumpsters. The settlement came to $2.25 million, but there's no details available on how HHS and FTC calculated the settlement amount. Since CVS operates more than 6,300 stores, this amounts to a penalty of approximately $350 per store.
In July of 2009, HHS and the FTC also entered into a settlement with Ride Aid. As with CVS, the investigation involved allegations that Rite Aid had improperly disposed of medical information. The settlement amount was $1 million. Since Rite Aid operates about 4,900 stores, this amounts to a little more than $200 per store.
Congress amends HIPAA's enforcement penalties
While HHS was investigating Rite Aid, Congress took action to stiffen the penalties under HIPAA. In February of 2009, Congress passed the Health Information Technology and Clinical Health (HITECH) Act to amend HIPAA. HITECH dramatically increased the monetary penalties, which now range from a minimum of $100 to $50,000 per day of violation, with an annual cap of $1.5 million for the same violation in any one year. HITECH also requires HHS to engage in compliance audits and gives state Attorneys General the right to enforce HIPAA. HHS published regulations implementing the stiffer penalties in October of 2009.
Even with stiffer penalties available, HHS has continued to follow its practice of informally enforcing HIPAA. HHS did not enter into another financial settlement until December of 2010, when it settled with Management Services Organization (MSO). The resolution agreement settled allegations that MSO was sharing health information with a sister company that would use the information to improperly market Medicare Advantage Plans to individuals. As part of the settlement, MSO agreed to pay $35,000.
The first imposition of civil monetary penalties: Cignet Health
CIGNET Health is a health care provider in Maryland that operates four clinics. Cignet Health drew the attention of HHS after forty-one of its patients filed complaints with HHS because Cignet would not grant them access to their medical records. To make matters worse, when HHS approached Cignet Health, its requests were ignored. It was only when HHS finally obtained a judgment from a court that Cignet Health produced records—and then it overproduced, providing records of approximately 4,500 patients to HHS. HHS ended up fining Cignet Health $4.3 million.
Of perhaps the greatest interest is the manner in which HHS calculated its penalties. First, it assessed a penalty of $100 per day for each day that Cignet failed to timely respond to each individual's request for access. This is essentially the minimum penalty under the new HITECH penalty structure, but this case demonstrates how even the minimum penalty can quickly add up. Cignet Health received requests for access at various times in 2008 and 2009, and HHS applied the penalty through April 7, 2010, the date that Cignet Health finally produced all of its records to HHS. Because Cignet Health ignored requests from 41 individuals, HHS calculated a total of 13,516 penalty days, resulting in a fine of $1,351,600 for Cignet's failure to respond to these individuals' requests for access.
HHS then also assessed the maximum penalty of $50,000 per day for Cignet Health's failure to cooperate with the HHS's investigation. Because HHS was formally investigating 27 of the complaints, it calculated 4,859 days of noncompliance for 2009 and 2,619 days for 2010. This would have resulted in $242 million in penalties for 2009 and $130 million for 2010—but because penalties for the same violation are capped at $1.5 million per year, the penalty for failure to cooperate was limited to $3 million. The total penalty came to $4,351,600.
Although HHS continues to try to resolve HIPAA violations informally, this case signals that HHS is certainly willing to impose a financial penalty, particularly if the target of the investigation fails to cooperate. Had Cignet responded to HHS's investigation and shown a willingness to comply with HIPAA, it likely could have entered into a consent agreement and entirely avoided any financial penalties. But when it failed to respond to HHS's inquiries and even a subpoena, Cignet found itself facing the largest financial penalty yet under HIPAA. As this case demonstrates, even the minimum HIPAA penalties can quickly multiply to a significant dollar amount.
The attorneys at Warner have significant experience in HIPAA compliance and in responding to inquiries from HHS. If you need assistance, please contact Norbert F. Kugele (firstname.lastname@example.org, or by phone at 616.752.2186) or any other member of Warner's HIPAA Task Force.