HHS' One-Two HIPAA Penalty Punch Sends a Message to Employers and Providers

Two days after announcing its first-ever HIPAA penalty, a whopping $4.3 million imposed against Stack of medical records with stethoscopeCignet Health of Prince George’s County, Maryland, HHS announced that a large Massachusetts hospital had agreed to pay $1 million to avoid a penalty proceeding. Although the hospital did not admit liability and did not pay a penalty, the settlement demonstrates how the significant increase in available HIPAA penalties as a result of the HITECH Act’s enactment has provided HHS with substantial leverage when negotiating a resolution of alleged HIPAA violations. HHS’ settlement with the hospital also is important because it suggests that HHS may not be very forgiving in one area of particularly high risk: the physical removal of protected health information (PHI) from a covered entity’s premises.

The incident that ultimately led to the hospital’s $1 million settlement payment was innocent enough. According to the settlement agreement, which is public, and HHS’ press release announcing the settlement, an employee of the hospital’s outpatient practice took home, for work purposes, paper records containing the PHI of 192 patients, including patients with HIV/AIDS. The settlement agreement states that the “documents consisted of billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of provider of 66 patients and the practice's daily office schedules for three days containing the names and medical record numbers of 192 patients.” On her way into work on the subway, the employee placed the documents, bound by a rubber band, on the seat next to her and forgot them there when she exited the train. The records never were recovered.

While HHS does not reveal the negotiations leading to the $1 million settlement amount, the enhanced HITECH penalties likely figured prominently in the discussion. The HITECH Act gives HHS substantial discretion in deciding what constitutes a single violation. In this situation, HHS likely took the position that there were at least 192 violations, one for each patient whose PHI was lost. In addition, HITECH permits HHS to impose a penalty of up to $50,000 per violation capped at $1.5 million annually for the same violation. Thus, the negotiations over the penalty likely centered around where the settlement should fall in the range between $100 per violation (the minimum penalty) and approximately $7,800 per violation (i.e., $1.5 million divided by 192). The negotiations resulted in a settlement amount of approximately $5,200 per violation. The lesson to be drawn is that the HITECH penalty scheme provides HHS with the leverage to negotiate a substantial settlement payment even for incidents involving a relatively small number of individuals. The fact that the lost records revealed an HIV/AIDS diagnosis, highly sensitive information, for at least some of the 192 affected patients also likely had an impact on HHS’ settlement position.

The settlement between HHS and the hospital also reveals, at least implicitly, HHS’ position that it is unacceptable for employees to remove paper or electronic records containing PHI from a covered entity’s physical premises without taking precautions to safeguard those records. More specifically, the settlement agreement requires that the hospital implement policies and procedures aimed at safeguarding any PHI that leaves the hospital’s premises, including the encryption of any laptop or USB drive containing PHI that is taken off-site. In addition, the hospital must: (a) distribute these policies to all members of its workforce; (b) review and, as necessary, update the policies annually; (c) train all employees with access to PHI in the policies; and (d) review the training annually or as necessary.

Employers and providers can take away several lessons from this incident. First, even innocent mistakes that compromise PHI could result in substantial penalties or settlements. Second, covered entities should implement and enforce policies and procedures that restrict the removal of PHI from their premises and that require strict safeguards for PHI, such as encryption, when it is taken off-site. Third, HHS likely will inquire into the training that has been provided to workforce members whenever an incident involves the loss or theft of PHI that was taken off-site. As a result, that training should be thorough, well documented, and updated as necessary to remain consistent with existing policies, new legal requirements, and evolving best practices.

Photo credit: AtnoYdur

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.