Last week, the Department of Health and Human Services flexed its HIPAA enforcement ability in a ruthless and unprecedented way. Heavy fines were dropped on not one, but two organizations totaling $5.3 million.
Last Thursday, a civil monetary penalty of $4.3 million was handed out to Cignet Health for violating privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA). The Department of Health and Human Services said that the fines were being issued for two different reasons.
First, $1.3 million for not handing over the medical records of 41 patients (between the years of 2008 and 2009) as requested by the patients. Second, in what appears to be a clear statement of power, an additional $3 million for lack of cooperation by Cignet with the investigation surrounding the first fine.
And a second organization, Massachusetts General Hospital, has agreed to pay a $1 million dollar fine related to a HIPAA privacy violation for an incident in March of 2009 when an employee allegedly left documents containing personal health information of 192 patients on the subway.
Since its enactment in 2006, HIPAA has a total of 12,791 (source 1) violations registered. While many are reporting that this is the first time the DHHS has issued fines related to HIPAA privacy violations, it is not actually the case (source 2).
In 2008, Seattle based Providence Health and Services was issued a $100,000 dollar fine for privacy violations surrounding the loss of data for over 386,000 patients. Although the breaches related to last week’s fines do not appear to be the result of electronic data theft (it is not clear at this point why Cignet refused to turn over patient records when requested), a recent report by Kaufman Rossin and Co (source 3) shows theft to be the leading cause of data breaches with respect to personal health information from September 21st, 2009 to September 21st, 2010.
These dates are significant because they represent the first year that these kinds of breaches were required to be publicly reported under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).
With personal health data increasingly becoming a prime target for theft and with these recent fines it would seem clear that the DHHS is becoming more serious about enforcement. And while there are many factors at play influencing how the DHHS comes up with the amount of a specific fine it seems clear that it’s going to be getting a lot more expensive for HIPAA violations in the future.