Post-HITECH HIPAA Packs a Punch
HHS OCR Imposes $4 Million Penalty for HIPAA Violations
The Health Information Technology for Economic and Clinical Health (HITECH) Act's recent amendments to the Health Insurance Portability and Accountability Act (HIPAA) included dramatic penalty increases for HIPAA violations, and healthcare organizations are now feeling their sting.
The Health and Human Services' (HHS) Office for Civil Rights (OCR) imposed its first civil monetary penalty for violations of HIPAA’s Privacy Rule since it took effect in 2003. The OCR found that Cignet Health of Prince George’s County, Maryland, violated the privacy rights of 41 patients by denying their requests for medical records and imposed a penalty of $4,351,600.
HIPAA'S Privacy Rule requires healthcare providers to give patients a copy of their medical records within 30 days of a request. Each day the provider fails to do so counts as a separate violation for each patient. In this case, the OCR assessed penalties of $100 per day per patient (the minimum penalty under the Privacy Rule), which came to $1,351,600. It then assessed a $3 million penalty for Cignet's failure to cooperate with the investigation over the course of two years -- $50,000 per day but subject to an annual cap of $1.5 million.
Employees of healthcare providers, insurance companies and other organizations that handle healthcare records should provide HIPAA training for all employees who work with those records on their duties to —
- Respect patients' rights to access their records;
- Safeguard the confidentiality of protected healthcare information; and
- Cooperate with investigations by government authorities.