The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently intensified enforcement under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA imposes numerous restrictions and requirements on healthcare providers, insurance plans, billing companies and business associates to these entities that handle patient-protected health information. Since the HIPAA rules went into effect in 2003, the focus of HIPAA enforcement has been on behavior modification; now, the focus has shifted to more accountability and stiffer sanctions for noncompliance.

In just one week in February 2011, HHS announced a $1 million settlement with General Hospital Corporation and Massachusetts General Physicians Organization Inc. ("Mass General") regarding "potential" HIPAA violations. Two days earlier, HHS announced a $4.3 million civil monetary penalty against Cignet Health, a Maryland insurance company, based on HIPAA violations and the company's failure to cooperate with OCR's investigation. These cases, and HHS's apparent willingness to put them in the spotlight, demonstrate the agency's newfound commitment to investigating, uncovering and imposing penalties for HIPAA violations. In addition, HIPAA's new data breach rule, requiring entities to report unsecured data breaches, is likely to makes it easier for HHS to follow up on HIPAA incidents.

Please see full alert below for more information.