Penalties have increased... and the OCR is using them.
The HITECH Act of 2009 increased maximum civil penalties for violations of the Privacy and Security Rules, to $50,000 per violation, with a maximum penalty of $1.5 million per year.
The OCR used its enhanced enforcement power to issue the first ever civil monetary penalty for a HIPAA Privacy Rule violation when it imposed a $4.3 Million penalty on Cignet Health on February 22, 2011. Cignet earned this penalty by denying 41 patients access to their medical records, and refusing to cooperate with the OCR. The OCR has continued to levy hefty fines for HIPAA violations:
- Massachusetts General Hospital agreed to pay $1 Million to settle potential Privacy Rule violations after it lost PHI for 192 patients when an employee left the information on the subway.
- UCLA Health System agreed to pay $865,500 to settle allegations that unauthorized employees looked at PHI of celebrity patients and other patients, in violation of the Privacy and Security Rules.
Audits are underway.
The HITECH Act also requires OCR to conduct audits to ensure providers are complying with HIPAA, and its pilot program has been launched. By the end of 2012, 150 audits will be completed-and every covered entity is eligible to be audited. Audited providers will need to produce their HIPAA policies and procedures within 10 days, and participate in a site visit. While the OCR says the main goal of the audits is to improve compliance, they are a sign that the government is serious about enforcing HIPAA.
MPA TIPS: How to use your compliance program to comply with HIPAA
- Make sure your Privacy Rule policies and procedures, plus all notices and forms (e.g. notice of privacy practices, authorization forms, logs of disclosures, etc.) are up to speed. All business associate arrangements should also be documented with a business associate agreement.
- Ensure your Security Rule policies and procedures are current, and find out when your last security risk assessment was performed. If it has been awhile since you have conducted an assessment, or if your security circumstances have changed since your last assessment, conduct and document a risk assessment, and update your policies and procedures to address any new risks you find.
- If you have not done so already, establish breach notification policies and procedures. These should include a decision tree to help employees identify if a breach occurred and if notice is required, plus drafts of notification letters.
- Verify that your employees are trained to follow, and following, your HIPAA policies-they will be interviewed if selected for an OCR audit.
- Remember: even if you don't get audited in 2012, it is important to regularly review and update your HIPAA program in order to ensure compliance and avoid penalties.