Beware of HIPAA enforcement crackdown, legal experts warn

Legal experts are warning hospital CEOs and compliance officers to heed the pricey lessons learned from recent multi-million dollar penalties incurred by Cignet Health and Massachusetts General Hospital, which were recently slapped with $4.3 million and $ 1 million fines, respectively, due to federal HIPAA privacy and security violations. 

“OCR has discovered its teeth and will not hesitate to bite hard,” said Donald L. Bradfield, senior counsel in the legal department of Johns Hopkins Health System, referring to HHS’ Office for Civil Rights, which enforces HIPAA. 

Interestingly, neither high-profile case involved any high-tech breaches. Maryland-based Cignet Health in February became the first organization hit with a federal civil money penalty after an OCR investigation found that Cignet failed to provide medical records to 41 patients who requested them. Shortly thereafter, Massachusetts General caught heat after an employee left medical documents on the subway. 

Indeed, OCR Director Georgina Verdugo sent a stern warning after the Mass General incident in February, "We hope the healthcare industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity's responsibility to protect its patients' health information.” 

Likening EMRs to “the nuclear energy of health reform,” James Pyles, principal of Powers Pyles Sutter & Verville, noted that while they can yield outstanding benefits, they can also wreak “catastrophic damage if not tightly controlled.” 

The bottom line: The OCR fines will bring more fines and lawsuits, more fines and more embarrassing press unless hospitals take compliance, risk assessments and incident planning seriously. 

 “Human error will not excuse the institution,” Bradfield said. “Once onsite, OCR will not limit itself to the circumstances of the particular event but will range more broadly to other areas of HIPAA compliance." 

Fore more information: 
- Read this press release

Related Articles:
Feds impose first civil fine ever in HIPAA case 
Patient info lost on subway earns MGH $1 million HIPAA fine
HHS raises maximum HIPAA privacy fines to $1.5 million