Major Financial Penalties Assessed Against HIPAA Violators
By: Justin Vaughn, M.Div, CPC, Director of Compliance

7/21/2011

The Office of Civil Rights (OCR), the enforcement agency for the U. S. Dept. of Health and Human Services concerning the HIPAA privacy rule, has announced the assessment of the following fine and financial settlements in response to corporate violations of specific HIPAA provisions:

• $4.3 million fine against Cignet Health of Prince George’s County, Maryland for failing to furnish 41 patients their health information upon request within the 30-day time frame (60-day deadline for offsite information).  Cignet failed to timely respond to the OCR’s request for records, and did not aid the government’s investigation, which in turn led to the imposition of a civil monetary penalty against the entity.

• $1 million settlement with Massachusetts General Hospital due to an incident involving a hospital employee who had permission to take 192 billing records offsite, but then inadvertently left those records on the subway.  The abandoned documents revealed the names of patients with HIV, among other personal information.  According to the OCR, Mass General failed to implement safeguards for the removal of patient records from the premises.

• $865,000 settlement with UCLA Health System for the actions of its employees who, without authorization, repeatedly viewed the protected health information (PHI) of 2 celebrity patients, as well as others. The OCR stated that employers are responsible for the acts of their employees in this regard, and that employers must restrict access to only those employees with a valid reason to access PHI.

To ensure your practice is able to avoid the imposition of these types of federal fines or enforced settlements, you should: (a) make certain you have a set of HIPAA policies and procedures, (b) be diligent in educating your partners and staff on these, and (c) be aggressive in rooting out risky practices and personnel, if necessary.  If you do not have a set of HIPAA  policies and procedures—pertaining to both the privacy regs and the security regs—there are several healthcare consultants and attorneys who provide these types of templates, which you can customize to fit your practice parameters.

I wish to thank healthcare attorney David Vaughn of Baton Rouge, La. for bringing the above enforcement actions to my attention.

The information presented herein reflects general information that is current as of the date it was first published.  In light of changes that may occur in the health care regulatory and compliance environments, the author's presentation of this information might become outdated.  Please check with your individual legal and/or compliance advisor(s) prior to taking any significant actions based upon the information and advice presented.