In case you missed the OCR announcement late yesterday afternoon, the Department of Health and Human Services announced that it was imposing a civil money penalty of $4.3 million dollars against Cignet Health for various violations of HIPAA. These penalties were based upon the violation categories and increased penalty amounts authorized by the HITECH Act; discussed further here. The violations stemmed in part from Cignet's failure to provide 41 patients access to their own medical records as required under 45 C.F.R. § 164.524. In addition to the huge amount of the fine, according the HHS, this action marks the first civil money penalty issued by HHS for HIPAA Privacy Rule violations. This action could indicate a renewed push by HHS to enforce violations of HIPAA and utilize its heightened penalty schedule and enhanced enforcement powers provided under the HITECH Act. Could this be the new norm for HIPAA enforcement? Only time will tell.
The Office of Civil Rights for the Department of Health and Human Services (HHS) recently requested comments related to its upcoming rulemaking under the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009. HITECH expands the current HIPAA Privacy Rule requirement that a covered entity provide individuals with a right to receive an accounting of certain disclosures of the individual's protected health information to certain parties. Currently, under HIPAA, a covered entity is not obligated to provide an accounting of disclosures if such disclosures were in furtherance of treatment, payment, or health care operations (TPO). HITECH eliminated these exemptions by requiring covered entities to account for TPO disclosures if such disclosures are made through an electronic health record.Continue Reading...
As of February 22, 2010, the Department of Health and Human Services ("HHS") began enforcement of data breach notification requirements explained in the Health Information Technology for Economic and Clinical Health Act ("HITECH Act").
Enacted as a part of the American Recovery and Reinvestment Act of 2009, the HITECH Act, modifies the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") substantially by, among other things, requiring covered entities to provide notification to individuals whose protected health information has been compromised, used, or disclosed without authorization, or otherwise fails to comply with HIPAA.
(For more information, see our law alert (PDF) published 08/21/09 and provides a general overview of the HITECH Act and its changes to HIPAA.)
In its "Breach Notification for Unsecured Protected Health; Information Interim Final Rule" issued August 24, 2009, HHS stated that it will begin imposing sanctions on February 22, 2010 against covered entities failing to comply with the HITECH Act requirements, although, HHS also states that it expects covered entities already to be in compliance with HITECH and HHS’s regulations. HHS enforcement implicates all health care providers, health plans, business associates, and others that use, access, or disclose protected health information.
Additionally, HITECH includes enhanced enforcement provisions such as:
- an increased scale of fines for noncompliance up to $1,500,000;
- the authorization to state Attorneys General to bring actions on behalf of state residents to enforce violations of HIPAA; and
- expanded applicability of various portions of HIPAA directly to business associates.
All affected entities should adopt and implement breach notification policies and procedures to ensure their appropriate response to data breach events and also to mitigate any potential harm that may result from such a breach. Porter Wright has broad experience advising clients in the areas of privacy and HIPAA compliance and is capable of counseling affected entities through the HIPAA breach notification process.