After several years during which the Department of Health and Human Services (HHS) operated essentially in “complaint-driven” mode with respect to enforcement of the HIPAA Privacy and Security Rules, recent activity suggests a trend toward stricter HIPAA enforcement. The latest evidence comes in a recently-announced settlement between HHS and the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively, MEEI).
In this settlement, MEEI has agreed to pay $1.5 million to settle potential violations of the HIPAA Security Rule. MEEI also agreed to develop a corrective action plan that includes reviewing and revising its existing Security Rule policies and procedures and retaining an independent monitor for a three-year period to conduct semi-annual assessments of MEEI’s compliance with the corrective action plan and report back to HHS.
HHS began its investigation of MEEI after MEEI submitted a breach report, as required by the HIPAA Breach Notification Rule. The report indicated that an unencrypted personal laptop containing the electronic protected health information (ePHI) of MEEI patients and research subjects had been stolen. The HHS investigation concluded that MEEI had failed to comply with certain requirements of the HIPAA Security Rule – particularly with respect to the confidentiality of ePHI maintained on portable devices – and that those failures had continued over an extended period of time.
The MEEI settlement is just the latest in a string of recent penalties and settlements stemming from alleged HIPAA privacy and security violations. From 2003 through 2010, HHS reported that it had received nearly 58,000 privacy complaints and, of those, had resolved more than 52,000. In fact, during this initial eight-year period after the HIPAA Privacy Rule went into effect, HHS did not impose a single civil monetary penalty for HIPAA violations.
In February of 2011, however, HHS imposed a $4.3 million penalty against Cignet Health of Prince George’s County, Maryland. HHS found that Cignet had failed to respond to patients’ requests for access to their medical records and that Cignet refused to cooperate in HHS’s investigation. Later that same month, Massachusetts General Hospital entered into a $1 million settlement with HHS arising out of an incident in which an employee left paper records containing the PHI of 192 patients, including patients with HIV/AIDS, on the subway.
The recent increase in enforcement efforts may be partially attributable to the fact that the available civil penalties increased dramatically as a result of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009. The HITECH Act provides HHS with substantial leverage in settlement negotiations.
These steep penalties and settlements should serve as a reminder of how important it is to comply with the HIPAA Privacy and Security Rules. Health plan sponsors should review their existing policies and procedures and remain vigilant in their training of employees.
Julia M. Vander Weele