Since the Health Insurance Portability and Accountability Act (HIPAA) privacy rules became effective in April 2003, there has been minimal enforcement activity by the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR). However, this has changed dramatically over the last two years, as evidenced by some recent high-profile and highpenalty enforcement actions taken by OCR. In addition to being concerned about OCR investigations, covered entities and business associates must also be on the alert for enforcement actions by state attorney generals, potential class action lawsuits, and OCR’s HIPAA audit program. Even though many in the health care industry are sitting in a holding pattern waiting for the HIPAA/Health Information Technology for Economic and Clinical Health (HITECH) Act final rules, covered entities and business associates should thus be as vigilant as ever, if not more so, in their HIPAA compliance efforts.
1. OCR Enforcement -
Over the last two years OCR has significantly increased its HIPAA enforcement efforts. Following an extensive investigation by OCR, Massachusetts General Hospital agreed in February 2011 to pay the U.S. government $1,000,000 and enter into a corrective action plan to settle potential HIPAA violations. The incident giving rise to the agreement involved the loss of protected health information (PHI) of 192 infectious disease patients, including those with HIV/AIDS, that occurred when a hospital employee left the records on a subway car. In addition, on March 13, 2012 BlueCross BlueShield of Tennessee (BCBST) agreed to pay the government a $1.5 million civil penalty and enter into a corrective action plan, following an investigation by OCR into a breach reported by BCBST pursuant to the breach notification provisions of the HITECH Act. Despite having a number of security measures in place, 57 hard drives containing the PHI of more than 1 million individuals were stolen from a BCBSTleased facility. The enforcement action was the first resulting from a report made under the HITECH Act breach notification provisions and implementing regulations. See 42 C.F.R. § 164.400 et seq. More recently, OCR concluded another investigation resulting from a HITECH Act breach notification. On September 17, 2012 Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (MEEI) agreed to pay the U.S. government $1.5 million to settle potential HIPAA violations, enter into a corrective action plan, and retain an independent monitor to report on MEEI’s compliance efforts. The breach report and subsequent OCR investigation resulted from the theft of a single laptop containing the unencrypted electronic PHI of over 3,600 MEEI patients and research subjects.
Please see full publication below for more information.
