On the eve of several new proposed and final regulations to be released by the Office of Civil Rights (OCR) there seems to be no loss of big headlines. While OCR appeared to leave the enforcement headlines to the states for the last year or so, it became clear in the last month that they have certainly been active in their investigations. Just a few short weeks ago, a $4.3 million civil monetary fine was announced. That same week a fairly substantial resolution agreement was also announced. It remains to be seen whether the annual breach notifications from covered entities to OCR that were due on March 2 will also result in more investigations. Covered entities are required to submit an annual report of breaches in the prior year affecting less than 500 individuals. OCR reportedly received over 9,100 reports of breaches affecting less than 500 individuals This is a far cry from the projection of just over 100 per year. Recently OCR used these numbers to request additional staffing to investigate breaches.
Not to be forgotten, the Office of the Inspector General (OIG) announced a reminder that under the Medicare Modernization Act, every Medicare contractor must have its privacy and security program annually reviewed by an independent contractor. Following this news, the OCR has announced that it is hosting a series of training sessions for state attorneys general. The sessions will review both HIPAA and state privacy laws and instruction on the new enforcement role for the state attorneys general under the American Recovery and Reinvestment Act of 2009. The two-day programs will take place from April to June in Dallas, Atlanta, the Washington, D.C. metro area and San Francisco.
Below are some of the highlights as mentioned above, and each of these examples should be a reminder that every entity should have a thorough review of its program on a regular basis.
- The civil monetary fine of $4.3 million was issued against a Maryland-based clinic, Cignet Health, for allegedly denying more than 40 patients individual access rights to their medical records. The fine was not limited to the HIPAA violation, and also included a fine for failing to cooperate with the OCR investigation.
- Massachusetts General Hospital reached a $1 million settlement (Resolution Agreement) with OCR for an incident in 2009 in which paper records containing medical and financial information were accidently left on a subway and never recovered. The fine was incurred for the hospital's failure to implement reasonable and appropriate safeguards with respect to paper records. All entities responsible for HIPAA compliance must not only implement policies and procedures for such issues, but should be aware as to whether the policies and procedures are generally being followed by the workforce.
- In a letter dated February 17, 2011, David Levinson, the Inspector General for the Department of Health and Human Services, provided the Administrator for the Centers for Medicare and Medicaid Services (CMS) Donald Berwick with the results of the 2008 annual reviews. While the results are interesting, this activity should be a reminder to all covered entities that OCR is now tasked with affirmatively performing audits on covered entities. Privacy and Security Officers need to be well prepared for such an audit, as they will become a more common occurrence.
Finally, we cannot forget the impending changes that are about to occur. As the attorneys general continue to be educated on existing law, the health care industry must be prepared for changes to the HIPAA regulations in the coming months. While Connecticut seems to be taking one of the more aggressive leads in HIPAA enforcement, we should expect more action on the state front. Entities should be well aware of their present compliance policies and procedures as well as be prepared to make changes to ensure continued compliance. If you wish to discuss HIPAA compliance under the new requirements, please contact your Baker Donelson attorney.