|
Implications of HIPAA/HITECH
Recent events signal that the government was not bluffing in signaling increased enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, emphasis was put on increased enforcement of HIPAA by providing for a tiered increase in the penalties that may be levied against an entity that violates HIPAA. Penalties could run between $100 and $50,000 for each violation, and $25,000 and $1.5 million per year.
Generally, when an entity seriously violates HIPAA, the Office for Civil Rights (OCR) enters into a resolution agreement with the entity. The resolution agreement includes certain obligations that the covered entity is required to perform for a number of years in order to ensure compliance. The resolution agreement also generally includes a monetary fine. Since the HITECH Act was passed in February 2009, the OCR entered into four resolution agreements with entities, including the first ever imposition of civil money penalties (CMP), which occurred on February 4, 2011. This is in stark contrast to OCR’s enforcement actions prior to the HITECH Act where only two resolution agreements had been entered into by OCR since HIPAA’s inception (one for the improper use of health information for marketing purposes, and the other for the improper disposal of health information).
Examples of Impact of Penalties
Cignet Health of Prince George’s County, Md. (Cignet) now faces a CMP in the amount of approximately $4.3 million. This CMP was imposed on Cignet following the OCR’s finding that Cignet violated 41 patients’ rights by denying them access to their medical records when requested, as is required by the HIPAA regulations. The CMP for these violations equaled $1.3 million. The remaining $3 million in CMPs was levied against Cignet for Cignet’s failure to cooperate with the OCR’s investigations of the complaints; Cignet failed to respond to the patients’ requests after receiving contact and notices from the OCR demanding that Cignet provide the patients with access to their records and also failed to produce records in response to a subpoena.
Another recent OCR action was taken against Mass General. On February 14, 2011, Mass General entered into a resolution agreement with the OCR in which it agreed to pay $1 million to the federal government to resolve a complaint that it violated the HIPAA regulations when an employee left the medical records of 192 patients on a subway train. The Mass General employee removed the medical records from Mass General’s premises for the purpose of working on the documents from home. The records were never recovered. Also, as part of the resolution agreement, Mass General entered into a Corrective Action Plan (CAP) which incorporates Mass Health’s future compliance obligations as they relate to compliance with HIPAA.
Steps To Take Now
With all of this in mind, now that there is an increased focus on HIPAA violations, the question arises: “What can an entity do to stay off of the OCR’s radar?” The most recent HIPAA enforcement actions and the resulting resolution agreements and CAPs help to serve as guidance for ways that entities may avoid the OCR’s scrutiny. Based on these documents, at the very least, entities should ensure that:
- All HIPAA Policies and Procedures have been updated to reflect current law and that the entity is following its HIPAA Policies and Procedures
- All workforce members have been trained on the most recent HIPAA Policies and Procedures
- There is a mechanism in place to help monitor the workforce’s compliance with the HIPAA Policies and Procedures, and all instances of non-compliance are addressed in accordance with the entity’s HIPAA Policies and Procedures
- The entity takes steps on a regular basis to review its HIPAA Policies and Procedures in order to ensure modifications are made to address any identified weaknesses
- The entity documents and retains all actions and information that it is required to document in accordance with the HIPAA regulations, and that such documentation is organized and in a form that is easily accessible
- If an entity receives notice of an investigation or a subpoena from the OCR, or any other government agency, related to the investigation of a HIPAA complaint, the entity seeks expert guidance when indicated and cooperates with the investigation, to the extent required by law
For More Information
If you would like more information on the government’s recent enforcement of HIPAA, please contact one of our attorneys:
|
About Polsinelli Shughart PC
With more than 500 attorneys, Polsinelli Shughart PC is a national law firm that is a recognized leader in the areas of business law, financial services, real estate and business litigation. Serving corporate, institutional and individual clients, Polsinelli Shughart is redefining the business of law by sharing ideas, goals and outcomes with its clients. The firm builds enduring relationships by creating value beyond legal services – with passion, ingenuity and a sense of urgency. The firm can be found at www.polsinelli.com. |
