The Department of Health and Human Services (“DHHS”) has apparently decided to increase its enforcement budget by imposing large civil money penalties.

DHHS now has a financial incentive to enforce HIPAA & HITECH

In the HITECH Act, Congress increased the amount of a civil money penalty from $100 per violation to as much as $50,000 for a violation and changed the law so that, rather than the fine going to the U.S.Treasury so that the government could do anything it wanted with the money, the fine now goes directly to DHHS to support its enforcement efforts. So DHHS has a big incentive to fine covered entities and business associates (the HITECH Act made business associates subject to the same civil and criminal penalties as are covered entities). To date, DHHS has imposed only one civil money penalty directly but has entered into settlements with three other covered entities that certainly contain large fines.

Cignet Health fined $4,351,000

Earlier this year, DHHS imposed the first actual civil money penalty against Cignet Health of Prince George’s County, Maryland. Cignet had failed to provide 41 patients copies of their medical records. Ofthe 41 patients, 38 of them complained to the DHHS Office of Civil Rights under HIPAA’s complaint procedure. In what passes for a totally incompetent response to a HIPAA violation, Cignet failed to respond to OCR’s written notice of its investigation and failed to produce the records as OCR directed. Cignet even ignored a subpoena duces tecum for the records even when ordered to do so by the Federal District Court for the District of Maryland. Cignet did not produce the records until after OCR had obtained a default judgment against Cignet. OCR then sent Cignet notice that it had both failed to comply with the Privacy Rule and failed to informally resolve the matter.

The letter offered Cignet the opportunity to submit matters in defense or in mitigation (factors that could reduce the severity of the offenses). The letter also said that Cignet could submit matters to show that the breach was due to a reasonable cause and not to willful neglect, which could result in a waiver of a civil money penalty. Cignet failed to respond to that letter.

Thus, OCR found that Cignet had failed to provide access as stated and had also failed to cooperate with the investigation and that these failures were due to willful neglect (which ups the maximum penalty from $1,000 for violations due to a reasonable cause to $10,000 for breaches due to willful neglect that are corrected properly or to $50,000 for breaches due to willful neglect that are not corrected properly). OCR also found that each failure to provide copies was a separate breach and that each day that Cignet failed to cooperate was a separate breach. OCR fined Cignet $1,351,000 for the denial of copies to the patients and $3,000,000 for the failure to cooperate with the investigation for a total of $4,351,000. Now, how stupid is it to fail to give patients something that they have a clear federal right to and then not cooperate with an OCR investigation?

Losing laptops with PHI can get expensive

In 2008, Providence Health Services did cooperate with OCR, thereby avoiding a civil money penalty, such as the one that Cignet incurred, and was only “fined” $100,000 by virtue of a resolution agreement (settlement) for the loss of a number of laptops containing PHI. It did, however, have to enter into a corrective action plan that requires the following:

• Revised policies and procedures for physical and technical safeguards relating to storage and transport of devices or media containing PHI, subject to the approval of DHHS.
• Work force training for staff members.
• Mandatory audits and facility site visits.
• Submission of compliance reports to DHHS for three years.

Properly dispose old prescription labels

CVS Pharmacy also entered into a resolution agreement for its breach consisting of improperly disposing of PHI on prescription bottle labels and old prescriptions by disposing of them in unsecured dumpsters. The agreement required CVS to pay $2.25 million and enter into a corrective action plan that requires the following:

• Revising and distributing its policies and procedures regarding disposal of PHI.Sanctioning workers who do not follow those procedures and training them on the new requirements.
• Conducting internal monitoring.
• Engaging a qualified, independent, third-party assessor to audit CVS’s compliance with the corrective action plan and to report the same to DHHS.
• New internal reporting procedures requiring workers to report all violations of the new privacy policies and the submission of compliance reports to DHHS for three years.

The Million-Dollar Subway Ride

Finally, Massachusetts General Hospital entered into a similar resolution agreement for whathas become known as the “Million-Dollar Subway Ride.” A hospital employee took billing encounter forms and daily office schedules containing the names, birthdays, medical records numbers, health insurer and policy numbers, and diagnoses of 192 patients home to work on.  While returning to work, she removed the records from her bag and left them on the subway not in any container but simply bound with a rubber band. This breach cost $1 million and the resolution agreement required the following:

• Development and implementation of policies.
• Training of the workforce.
• Monitoring as approved by OCR including reports to OCR every six months.

These four enforcement actions make it clear that the good old days of taking HIPAA lightly because DHHS was not enforcing it are over. Failure to have policies and procedures inplace and to enforce them will clearly constitute willful neglect with its much higher penalties.  And DHHS cannot waive civil money penalties for willful neglect. For help in developing these policies, click here to order my Compliance Guide to HIPAA and the DHHS Regulations, 4thedition, and the accompanying HIPAA Documents Resource Center CD, 4th edition.