Health and Human Services Steps Up Enforcement of HIPAA

March 7, 2011

Written By Attorneys: Christopher J. DiIenno and John F. Mullen, Sr

This article is an interpretation of current law and is offered for informational purposes only. This material is not legal advice and should not be construed or used as a substitute for the advice of an attorney.

The U.S. Department of Health and Human Services' (HHS) Office for Civil Rights announced it was fining Cignet Health $4.3 million for failing to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. HHS imposed the civil monetary penalty on February 22, 2011. The fine was based on the provisions and increased penalty amounts authorized by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). This is the first fine issued by HHS for a covered entity's violations of the HIPAA Privacy Rule, and should serve as a warning to healthcare providers and the companies that insure them.

Under the HIPAA Privacy Rule covered entities must provide requesting patients a copy of their medical records within 30 days of the request or provide a written denial. HHS received complaints from Forty-one Cignet Health patients that the entity refused to fulfill or respond to their requests. HHS conducted individual investigations for each complaint, and imposed a penalty of $1.3 million for the combined violations. Cignet Health was assessed an additional $3 million fine for making little effort to resolve patient complaints or assist with HHS's investigation.

Two days after HHS's announcement, Massachusetts General Hospital agreed to pay HHS $1 million to settle allegations of HIPAA violations stemming from a 2009 incident in which a hospital employee lost 192 patient records on the subway. Though HHS described the incident as only a "potential violation" of HIPAA's data security requirements, the incident warranted a large settlement.

The implications of HHS's actions should be carefully considered by healthcare providers, their insurers and their business associates. The fear of large civil penalties for violations of HIPAA is now a reality. Healthcare entities must recognize the fact that the HITECH Act empowers state Attorneys General to enforce these federal regulations in addition to enforcement by the HHS. Further, with the announcement of the Massachusetts General Hospital settlement, even potential violations can result in steep penalties (and probably legal fees) for covered healthcare entities and business associates. These realities highlight the need for the healthcare industry to understand the importance of compliance with previously unenforced provisions of HIPAA and the HITECH Act.

For additional information related to this or other privacy and data security issues, please contact John F. Mullen at 215.358.5154 or via email at jmullen@nldhlaw.com or Christopher DiIenno at 215.358.5161 or cdiienno@nldhlaw.com.

Emerging Issues

In The News...

Nelson Levine opens Washington D.C. office to further assist industry in embracing the modernization of insurance regulation More
Nelson Levine attorneys discuss the best practices for handling large exposure personal accident claim investigations and lawsuits More
Mike Nelson discusses the delayed FIO report in Insurance Journal and InsuranceNewsNet.com.

Upcoming Events

AICP Mid-Atlantic Chapter
Date: May 21, 2012
Speaker: Peg J. Ising
Location: Philadelphia, PA
Topic: FIO
Program Website

12th Annual Emerging Trends in Fraud Investigation & Prevention Conference
Date: May 21-22, 2012
Speaker: William O. Krekstein and Marc Lovrak, Special Investigations Unit/Corporate Claims Manager, State Auto
Location: Columbus, OH
Topic: Insurance Fraud Investigations
Program Website

Montgomery Bar Association Continuing Legal Education
Date: May 30, 2012
Location: Norristown, PA
Speaker: Claudia D. McCarron
Topic: Successful Mediation of Federal Courts
Program Website

New York State Bar Association: Advanced Insurance Coverage
Date: June 21, 2012
Location: New York, NY
Speaker: Steven P. Nassi
Topic: Environmental Coverage Claims
Program Website

3rd Annual NetDiligence Cyber Risk & Privacy Liability Forum
Date: June 4-5, 2012
Location: Philadelphia, PA
Speaker: John F. Mullen
Topic: State of the Cyber Nation Address
Program Website

PLRB/LIRB 2012 Eastern Regional Adjusters Conference
Date: June 26-27, 2012
Speaker: William O. Krekstein
Location: Providence, RI
Topic: Duties After Loss: Enforcing Policy Provisions
Program Website

16th Annual America's Claims Event (ACE)
Date: June 27-29, 2012
Speaker: Robert M. Runyon, III
Location: Las Vegas, NV
Topic: Weathering the Storm - Managing, and Avoiding, Litigation Arising from CAT Claims
Program Website

FX Conference Series
Date: July 12, 2012
Speaker: Cathleen Kelly Reber
Location: Audio Conference
Topic: Food Recall and Insurance for the Food Industry
Program Website

Home

Our People

Of Note

Careers

New York Pennsylvania District of Columbia Ohio New Jersey London

Nelson Levine de Luca & Hamilton offers comprehensive legal services to the insurance industry in the areas of reinsurance, regulatory, complex liability, class action, coverage, subrogation, bad faith and fraud. With offices in Pennsylvania, New York, New Jersey, Ohio and London, NLdH is devoted solely to providing legal representation to the insurance industry.

FirmSite® by FindLaw, a Thomson Reuters business.

The material provided on this website is offered for its informational value and does not constitute legal advice. Accessing this website or using email links to contact us does not create an attorney-client relationship with Nelson Levine de Luca & Hamilton or any of the firm's attorneys. This website may be considered an advertisement under the rules of certain states. Past results do not guarantee a similar outcome.