Operating in a low enforcement atmosphere, many covered entities began to perceive HIPAA as a paper tiger with complex rules and severe penalties, but no teeth. Cast against aggressive OIG and Department of Justice (DOJ) enforcement of federal fraud and abuse laws, covered entities directed relatively few resources to HIPAA compliance efforts. Risk stratification exercises and cost-benefit analyses generally did not justify high intensity HIPAA compliance programs.
On the crest of statutory and regulatory enhancements to HIPAA enforcement since 2008, two recent high stakes HIPAA enforcement cases suggest that covered entities may need to recalibrate their investments in HIPAA compliance. By imposing CMPs totaling $4.35 million on Cignet Health in Maryland and settling alleged violations with Massachusetts General Hospital for $1 million, the HHS Office of Civil Rights (OCR) has signaled the potential gravity of HIPAA non-compliance. OCR has also, however, provided valuable HIPAA compliance guidance to other covered entities through its Corrective Action Plans (CAPs).
Recent Additions to HIPAA Enforcement Power
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted in 2009, expanded the scope, enforcement powers and penalties available under HIPAA. Business Associates of covered entities were previously bound to follow HIPAA contractually through Business Associate Agreements (BAAs) with covered entities. HITECH extended the applicability of HIPAA security provisions and the breach notification requirements introduced by HITECH directly to Business Associates.
The HITECH Act also increased the number of HIPAA enforcers and the scope of their enforcement powers. State Attorneys General may bring civil actions in Federal district court against HIPAA privacy and security violators. In addition, the HITECH Act requires HHS to perform "periodic audits to ensure that covered entities and business associates" comply with the Privacy and Security Rules.
Prior to the HITECH Act, HIPAA authorized HHS to impose CMPs up to $100 per violation and $25,000 for all violations of an identical rule per year. The HITECH Act revised HIPAA to implement an increased, tiered approach to CMPs based on the level of culpability associated with a violation. Penalties now range from $100 to $50,000 per violation, with an overall cap of $1.5 million for identical violations during a calendar year.
Recent Enforcement Actions
Armed with new administrative and statutory enforcement powers, OCR levied the first CMPs in the history of HIPAA and settled another significant alleged violation in February 2011.
Cignet breached the HIPAA Privacy Rule by failing to provide 41 individuals timely access to copies of their medical records and by failing to cooperate with the OCR investigation of patient complaints regarding access to their medical records. Although Cignet's underlying violations appear to have been relatively straightforward, OCR found that the infractions combined with Cignet's subsequent inactions warranted a finding of "willful neglect" and the highest-tier CMPs possible.
In contrast to the Cignet matter, OCR's settlement with Mass General did not result in CMPs or involve lack of cooperation. The alleged breach involved the removal and loss of PHI on a subway by a Mass General Employee. The patient data at issue was particularly sensitive: names, medical records and other information for a total of 258 patients, including patients with HIV/AIDS. To resolve the alleged violations, Mass General agreed to pay $1 million to HHS and enter into a three year CAP. The CAP requires Mass General to: implement new policies, train its personnel, communicate with its workforce regarding the consequences of HIPAA breaches and monitor and audit its HIPAA performance.
Conclusion
The risk profile of HIPAA compliance programs has recently shifted, both in theoretical terms and in action. Although the body of HIPAA enforcement actions remains limited, OCR has taken a consistent approach in dealing with settlements of alleged violations.
In each HIPAA settlement to date, HHS has imposed a CAP that closely tracks the elements of an effective compliance program identified in the OIG's compliance program guidance documents. With more at stake than ever before under HIPAA, covered entities should consider dusting off their HIPAA compliance programs or policies and evaluating their effectiveness. A robust HIPAA program can either be integrated into the entity's overall compliance structure or designed as a stand-alone framework that incorporates, at minimum, the fundamental elements of an effective compliance program.