It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair, we had everything before us, we had nothing before us, we were all going direct to Heaven, we were all going direct the other way—in short, the period was so far like the present period, that some of its noisiest authorities insisted on its being received, for good or for evil, in the superlative degree of comparison only.

—Charles Dickens, A Tale of Two Cities (1850).

It was the best of times: world class medicine. It was the worst of times: post-Obamacare and overregulation of the health care industry. It was the age of wisdom: The New England Journal of Medicine, among others. It was the age of foolishness: thousands of pages of almost incomprehensible HIPAA regulations. It was the epoch of belief: we can cure cancer. It was the epoch of incredulity: cancer is incurable, and all we can have are palliative drugs to make the expensive chemotherapy less painful. It was the season of Light: the Government can fix anything. It was the winter of despair: the Government can’t fix anything. We had nothing before us except a seven-figure HIPAA Civil Money Penalty, possible lawsuits, and huge legal fees . . . .

—Jon Tomes, poor paraphrase of Dickens.

Regardless of whether HIPAA is inevitably the winter of Despair, it certainly was for Cignet Health of Prince George’s County, Maryland, as discussed in my June 17, 2011, blog post, “DHHS Is Getting Serious about Enforcing HIPAA.” In a Notice of Proposed Determination issued October 20, 2010 (NPD), OCR found that Cignet had violated 41 patients’ rights by denying them access to their medical records. These patients, each of whom had made a request to obtain their records between September 2008 and October 2009, individually filed complaints with OCR initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide to a patient a copy of the patient’s medical records within 30 (and no later than 60) days of the patient’s request. The Civil Money Penalty (“CMP”) for those violations was $1.3 million. During the investigations, Cignet refused to respond to the repeated demands by the DHHS Office for Civil Rights’ (“OCR”) to Cignet to produce the records. Cignet also failed to cooperate with OCR’s investigations of the complaints, including failure to produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means. This failure upped the CMP to $4,351,000. For more details on how to increase the amount of your fine, click here.

So for Cignet, it was the worst of times. Two recent cases have, however, illustrated the best of times and the worst of times. For the University of Rochester Medical Center, the NY Attorney General fined it $15,000 for a patient privacy violation involving a departing employee provider taking medical records of patients whom she had served. That state action would not prevent OCR from imposing a civil money penalty, but OCR declined to do so because the University of Rochester Medical Center had promptly and completely responded to the matter.

In a similar case, OCR imposed a $239,800 civil money penalty against Lincare, a home health agency, for a breach that also involved an employee taking PHI home. When the employee left her home to leave her husband, she left the records behind. Lincare defended by saying that her husband stole them in an attempt to get her back. Over the course of the investigation, OCR found that Lincare had inadequate policies and procedures in place to safeguard patient information that was taken offsite, although employees, who provide health care services in patients’ homes, regularly removed material from the business premises. Further evidence indicated that the organization had an unwritten policy requiring certain employees to store protected health information (“PHI”) in their own vehicles for extended periods of time. Although aware of the complaint and OCR’s investigation, Lincare subsequently took only minimal action to correct its policies and strengthen safeguards to ensure compliance with the HIPAA Rules. See HHS.GOV, Administrative Law Judge rules in favor of OCR enforcement, requiring Lincare, Inc., to pay $239,800, February 3, 2016.

So for the University of Rochester Medical Center, it was the best of times—only a $15,000 fine because it promptly and completely responded to the matter. For Lincare, however, it may have been the worst of times, because Lincare had to pay $239,800, not counting the legal fees inherent in its losing appeal, although not so catastrophic as Cignet, which, by the way, is now bankrupt and out of business.

So if you want to be in the best of times category if you have a breach, you must have in place a written risk analysis and updates, have your physical and technical security measures in place, and implement and enforce all necessary policies and procedures. And, for Heaven’s sake, don’t take complaints and complaint investigations lightly.

My Vice President, Alice McCart, and I join in wishing you the best of times. That’s why we published Your Happy HIPAA Book. Follow my instructions in each tab, check off and date each task as you complete it and put the written documentation into each tab, and then rest easy, knowing that, for you, it is indeed the season of Light.