Two days after announcing its first-ever HIPAA penalty, a whopping $4.3 million imposed against Cignet Health of Prince George’s County, Maryland, HHS announced that a large Massachusetts hospital had agreed to pay $1 million to avoid a penalty proceeding. Although the hospital did not admit liability and did not pay a penalty, the settlement demonstrates how the significant increase in available HIPAA penalties as a result of the HITECH Act’s enactment has provided HHS with substantial leverage when negotiating a resolution of alleged HIPAA violations. HHS’ settlement with the hospital also is important because it suggests that HHS may not be very forgiving in one area of particularly high risk: the physical removal of protected health information (PHI) from a covered entity’s premises. To learn more about these developments and their implications for employers, please continue reading at Littler's Workplace Privacy Counsel.