This article first appeared in the May 5, 2011 issue of MiBiz.
Employers need to be concerned about stepped up HIPAA enforcement actions likely to result in monetary settlements.
The Health Insurance Portability and Accountability Act of 1996 has moved passed the compliant stage into the enforcement stage. The U.S. Department of Health & Human Services Office of Civil Rights has created a new deputy director position to oversee enforcement. HIPAA, enacted in 1996, protects health insurance coverage for workers and their families when they change or lose their job and established national standards for electronic healthcare transactions and aims to encourage the widespread use of electronic medical records. HIPAA addresses security and privacy of health data.
Norbert Kugele, partner with Warner Norcross & Judd LLP and chair of the firm's HIPAA task force, said the new HITECH amendments to HIPAA increased the penalties and required HHS to go out and conduct audits.
"In the years leading up to this, there hasn't been much formal enforcement activity," Kugele said. "There's never been a civil money penalty assessed against anybody. For the very first time, civil money penalties have been assessed."
He said the new officer in charge of HIPAA enforcement told attendees at the National HIPAA Summit that there will be more settlements coming down the road. The HITECH amendment also allows HHS to keep any monies collected to help fund more enforcement activity.
Kugele said three recent cases are examples of the increased enforcement. The most significant action involved Maryland-based Cignet Health. The healthcare company was slapped with a $4.3 million civil penalty. Kugele said HHS received a number of complaints from individuals that Cignet wasn’t responding to requests for access to their medical records. After an HHS investigation, Cignet refused to cooperate and didn’t respond to subpoenas for records resulting in a $1.3 million penalty and a $3 million penalty for refusal to cooperate with the HHS investigation.
Kugele noted companies can be assessed penalties of $50,000 per day, but are capped at $1.5 million per year.
Another enforcement case involving Massachusetts General Hospital resulted in a $1 million resolution agreement. In that case, an employee took some paper records home to work on at night and left the records on a subway the next day. The records were never recovered. Kugele said the underlying problem was that the hospital didn’t have any policies and procedures in place governing the removal of records from the hospital, including who could take records home and for what purpose.
In another case that was under the radar, Washington Inc. agreed to pay a $35,000 penalty and put in a corrective action plan due to allegations the management services company was using protected health information for marketing purposes without obtaining authorization from patients. Kugele said the company agreed to comply with HIPAA and "take certain actions within a given time frame."