HIPAA: Million Dollar Penalties Imposed

March 1, 2011

Cox Smith Employee Benefits E-Alert

Enforcement efforts and significant penalties are ramping up as expected for compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The Department of Health and Human Services’ Office for Civil Rights ("OCR") issued two press releases last week regarding the imposition of a $4.3 million civil money penalty in one case and $1 million settlement in the other case, notably utilizing the increased penalties available under the Health Information Technology for Economic and Clinical Health Act.

In the first press release, OCR announced that it issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Md., violated the HIPAA Privacy Rule by failing to provide patients with access to their records and by not cooperating with OCR. Because of these actions, OCR imposed the highest tier of penalties for violations due to willful neglect, resulting in a $4.3 million penalty. 

In the second release, OCR announced that it came to a settlement agreement with General Hospital Corporation and Massachusetts General Physicians Organization Inc. ("Mass General") for potential violations of the HIPAA Privacy Rule. The violations occurred when a Mass General employee made a $1 million mistake. The employee commuted to work on the subway with documents containing protected health information and forgot the documents on the train. 

In its press releases, OCR warned covered entities and business associates to adhere closely to all of HIPAA’s requirements because HHS will continue to investigate and take action against organizations that knowingly disregard their obligations under HIPAA. In addition, OCR advised that a HIPAA compliance program should include the following components: "employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents."

Cox Smith can assist you with all of your HIPAA compliance efforts, including policies and procedures, training, Breach Notification Rule risk assessments, and conducting a HIPAA gap analysis to help protect you from such draconian penalties. Please contact any of our Employee Benefits lawyers if you have any questions regarding this e-alert or for assistance with your HIPAA compliance needs.

As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. © 2021 Dykema Gossett PLLC.