With reports about multi-million dollar HIPAA fines in the news for the first time, and discussion of stiff new HIPAA penalties from the HITECH Act, administrators and physicians are asking about the new enforcement activities. Recently, a small organization was hit with a $4.3 million fine. What is the likelihood of a huge fine for your organization?
The HIPAA Privacy rule went into effect in 2003, and the HIPAA Security rule in 2005. For several years, enforcement was minimal. In fact, the HHS Office of the Inspector General, in 2007, criticized CMS for lax enforcement. Since that time, enforcement responsibilities have been reassigned, and now the HHS Office of Civil Rights enforces both HIPAA Privacy and Security. The Department of Justice (DOJ) handles criminal prosecutions.
The DOJ has obtained criminal convictions for about a dozen individuals; about half of these people received
jail time, while the rest received a combination of probation and monetary fines. The maximum fine to an individual was $2.5 million, imposed on a Mr. Fernando Ferer of Florida. Many other workers have been terminated or sanctioned by their employers for violations. For example, three curious medical workers from the Tuscon University Medical Center were fired for HIPAA violations after looking at records of victims involved in the shooting rampage that involved Arizona Congresswoman Giffords.
In July of 2008 the federal government’s corrective action plans for the first time included settlement payments. A Rhode Island hospital, Providence Health & Services was fined $100,000. Subsequent cases involved CVS, Rite Aid and Mass General Hospital, which settled their cases for $2.25M, $1M and $1M respectively.
In February 2011, the fed first exercised its power to impose civil monetary penalties with a $4.3 million penalty on a small medical clinic/health plan in the Washington DC area called Cignet Health.
In February 2009 the Stimulus Bill enacted many changes to the HIPAA regulations, including a completely revamped enforcement and penalty structure. Notable among the changes is that state Attorney Generals were given enforcement power. In July of 2010 the Connecticut Attorney General prosecuted the first successful case, resulting in a settlement with insurer Health Net of Connecticut. The terms involved a $250,000 fine plus an agreement from the firm to offer credit monitoring services to 1.5 million of their subscribers. Indiana’s Attorney General is currently pursuing a case against WellPoint, the parent of Anthem Blue Cross and Blue Shield, for failure to promptly notify consumers of a security breach.
HIPAA’s new civil monetary penalties range as high as $1.5 million per year with single incident penalties as high as $50,000.
The Stimulus Bill also mandated CMS to perform compliance audits as part of their enforcement regimen. The audit program, originally scheduled to begin in 2010, is still under study by the HHS Office of Civil Rights. Stay tuned for developments on this important.
To avoid being on the wrong side of an enforcement action, HIPAA covered entities are advised to:
- Update your policies to stay compliant with recent changes, including the requirement to notify individuals in the event of improper disclosures, for example, the loss of a laptop containing protected health information,
- Conduct a new security risk assessment to deal with new threats, such as inappropriate use of by employees of social media such as Facebook,
- Consider encryption of laptop computers, smartphones, and backup tapes to reduce your exposure in the increasingly likely event of loss or theft.
Finally, stay current with a whole series of regulatory changes which are still unfolding from the statutory changes in the February 2009 Stimulus bill.
