This article was originally published in the April 2011 issue of Atlanta Hospital News.
The Department of Health and Human Services ("HHS") Office of Civil Rights ("OCR") has recently issued two press releases, drawing renewed attention and focus to the OCR's enforcement of the Health Insurance Portability and Accountability Act ("HIPAA") Privacy Rule. In general, the Privacy Rule establishes national standards for the use and disclosure of an individual's health information by covered entities, defined as health plans, health care providers and health care clearinghouses. The Privacy Rule also sets standards for providing individuals with privacy rights to understand and control how their health information is used. The OCR is tasked with administering and enforcing the Privacy Rule.
On February 22, 2011, the OCR issued a Notice of Final Determination, finding that Cignet Health of Prince George's County, MD ("Cignet") had violated the Privacy Rule and imposed a $4.3 million civil monetary penalty for the violations. The HIPAA Privacy Rule requires a covered entity to provide medical records within thirty (30) days, and no later than sixty (60) days, after requested. The OCR found that Cignet violated the Privacy Rule by denying 41 patients access to their medical records.
After the Cignet patients filed individual complaints with the OCR, the OCR opened an investigation. Cignet refused to respond to the OCR's demands to produce the medical records. The OCR then filed a petition to enforce a subpoena in a United States District Court and obtained a default judgment against Cignet on March 30, 2010. Although Cignet produced the records on April 7, it made no other effort to settle the complaints. Under the HIPAA Privacy Rule, covered entities are required to cooperate with the OCR's investigations. The OCR apportioned $1.3 million of the penalty for the failure to produce the patient medical records and the remaining $3 million for the failure to cooperate with the OCR's investigation.
Just two days later, on February 24, 2011, the OCR announced that they had reached a settlement with the General Hospital Corporation and Massachusetts General Physician Organization Inc. ("Massachusetts General") for alleged violations of the Privacy Rule. The OCR's investigation began after a Massachusetts General employee left records containing protected health information of 192 patients on a subway train while commuting to work, including records of patients with HIV/AIDS. The records included billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of provider, as well as three days of the practice's daily office schedules, containing the names and medical record numbers of 192 patients. The records were never recovered.
Under the settlement, Massachusetts General agreed to pay the
U.S. government $1 million and enter into a Corrective Action Plan
for safeguarding the privacy of its patients' records.
Specifically, Massachusetts General must develop and implement a
comprehensive set of policies and procedures to ensure that
protected health information is protected when removed from the
covered entity's premises. In addition, Massachusetts General
agreed to train workforce members on these policies and procedures
and to designate the Director of Internal Audit Services of
Partners HealthCare System Inc. to serve as an internal monitor who
will conduct assessments of Massachusetts General's compliance
with the Corrective Action Plan, as well as provide semi-annual
reports to HHS for three years.
The settlement and the Corrective Action Plan reinforce the
OCR's emphasis on developing and maintaining internal policies
to prevent the type of violation that happened at Massachusetts
General. The OCR Director Georgina Verdugo noted in the press
release, "We hope the health care industry will take a close
look at this agreement and recognize that OCR is serious about
HIPAA enforcement. It is a covered entity's responsibility to
protect its patients' health information."
In the wake of the recent enforcement actions, covered entities should carefully review their policies and procedures regarding the HIPAA Privacy Rule and continue to educate their employees regarding their obligations under the law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.