The trusted source for
healthcare information and
Shocker: First civil penalty for HIPAA violation
The first civil monetary penalty handed down by the Department of Health and Human Services (HHS) has created a buzz throughout the health care industry, and not just because of the eye-popping amount of the fine: $4.3 million.
As shocking as the size of the penalty is the nature of the alleged violation. HHS didn't impose its first, precedent setting fine for any grand scheme to steal patient information and profit somehow from its commercial use. The $4.3 million penalty was imposed for failing to give patients access to their own information when they asked.
The HHS Office for Civil Rights (OCR), the arm that enforces HIPAA, imposed the civil monetary penalty against Cignet Health, a group practice and clinic in Temple Hills, MD, for violating the HIPAA Privacy Rule. Although there have been a number of settlements arising from alleged HIPAA violations, never before has OCR imposed a civil monetary penalty against a covered entity for violating the HIPAA Privacy Rule, explains Lawrence W. Vernaglia, JD, a health care attorney with the law firm of Foley & Lardner in Boston and chair of the firm's Health Care Industry Team.
The penalty against Cignet was based on the new violation categories and the increased penalty amounts authorized by the Health Information Technology for Economic and Clinical Health (HITECH) Act. OCR's action might foreshadow increased scrutiny and an invigorated willingness to assess significant penalties against covered entities for HIPAA violations, Vernaglia says.
HHS flexing its muscle
The $4.3-million civil monetary penalty was triggered by Cignet's failure to provide access to the medical records of 41 patients, as well as its failure to adequately cooperate with OCR's investigation, according to information released by HHS. (See the story on p. 41 for more details of the alleged violations and OCR's investigation. See the story on p. 42 for a recent settlement of HIPAA charges.)
At a press conference held to announce the groundbreaking penalty, HHS Secretary Kathleen Sebelius made clear that the department is not playing around. "Ensuring that Americans' health information privacy is protected is vital to our health care system and a priority of this administration," Sebelius said. "The U.S. Department of Health and Human Services is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule."
OCR Director Georgina Verdugo, JD, LLM, MPA, said the company's "arrogance" was a primary reason for the large penalty. "Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records and adhere closely to all of HIPAA's requirements," Verdugo said. "The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules."
Cignet Health did not return calls seeking comment.
Not what was expected
Vernaglia says he was initially "astonished" by the amount of the penalty. He expected that such a huge fine would have been the result of a health care provider selling patient information to marketers, a brazen violation of HIPAA.
"It was too much money for the alleged violations underlying it, way too much for failing to give access to patient records," he says. "But the more I understood what happened, I realized it was a lot more about being unresponsive to the government when they came asking questions about it."
According to HHS, the company even failed to comply with a federal subpoena ordering it to produce the records.
Cignet Health's resistance to the government inquiries is puzzling, Vernaglia says. In particular, he wonders what was going through the mind of the physician to whom all of the HHS correspondence was addressed. "It's possible that this person had too much on his plate and just ignored the HHS letters, hoping they would go away," he says. "But it could be that the letters were all addressed to him and he wasn't even there, so they just never got anyone's attention. It would explain at least the initial failure to respond."
Lessons for risk managers
Some type of systems or process failure, or multiple failures, must have caused the problems at Cignet Health, Vernaglia says, because it is inconceivable that the company would have willfully ignored the government investigation. Vernaglia says there are several lessons from the case for risk managers:
Covered entities should examine their current HIPAA policies and practices, including their compliance program provisions for responding to requests for access to medical records, to verify that the entity's operations are current with the recent legal changes.
Cooperate fully with HHS investigations, even if you feel the allegations are unjust or trivial.
Misdirected communication can lead to disaster. Make certain you have a system in place to ensure that any such communication from HHS or another government entity is directed to the correct person, opened immediately, and forwarded to legal counsel as necessary. Update policies and procedures frequently to ensure such items are directed to the right person.
HHS is willing to impose hefty penalties for what might seem like minor violations of HIPAA. If you are only watching out for the big willful violations of HIPAA, you could be hit hard for violations that seem like a small matter.
"A good compliance program could have made this a very different kind of case," Vernaglia says. "Even if they failed to produce records for the patients, the fine in the end would have been several magnitudes smaller. HHS is giving them a spanking, and that's what you get when you ignore the government."
Lawrence W. Vernaglia, JD, Foley & Lardner, Boston. Telephone: (617) 342-4079. E-mail: firstname.lastname@example.org.