HIPAA Monetary Penalties Assessed

The U.S. Department of Health and Human Services’ Office for Civil Rights finalized its finding this month that a physicians' group violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The agency has imposed a monetary penalty of $4.3 million for the violations, representing the first monetary penalty issued by the agency for violations of the HIPAA Privacy Rule.  The increased penalty amounts were imposed under Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which took effect in October 2009 and was intended to supplement and help enforce HIPAA.

HITECH was passed to help enforce HIPAA.  These are federal laws that provide individuals with protection for their personal information disclosed in receiving health care.  Both laws are intended to protect patients’ privacy while allowing providers and other entities (like insurance companies) to effectively provide health care for the individuals.

Cignet Health, a physician group in Maryland, failed to provide 41 patients with copies of their medical records.  As regulations passed in October 2009 under HITECH allow for a minimum fine of $100 per patient per day (penalties used to be capped at $100 per patient per day), this added up to a penalty of $1.3 million.  In addition to the $1.3 million, Cignet Health was fined $3 million for refusing to cooperate in OCR’s investigation.

These circumstances are somewhat unique because of the egregious conduct of the physicians group.  However, as it is an attorney’s duty to recite the “better safe than sorry maxim.”

So, what does this mean for Humboldt County medical providers?  Because this is the first matter of its kind, it is still not clear whether the Office for Civil Rights will be much more diligent in imposing actual monetary remedies or whether it will continue its more common practice of entering into Resolution Agreements.   Find more information about Cignet Health and the civil penalty imposed here.  What is clear is that it is important to exercise diligence in complying with HIPAA and other privacy laws.  Every entity covered under HIPAA, medical providers, doctors, insurance plans, or otherwise, should ensure that at least one employee is tracking the requirements under the law and implementing protective measures with diligence.  This includes both traditional methods of privacy protection such as locking file cabinets as well as evolving issues relating to electronic medical records and electronic databases.