HHS HIPAA Penalties Send Employers and Providers a Message

Two days after announcing its first-ever HIPAA penalty, a whopping $4.3 million imposed against Cignet Health of Prince George’s County, Maryland, HHS announced that a large Massachusetts hospital had agreed to pay $1 million to avoid a penalty proceeding. Although the hospital did not admit liability and did not pay a penalty, the settlement demonstrates how the significant increase in available HIPAA penalties as a result of the HITECH Act’s enactment has provided HHS with substantial leverage when negotiating a resolution of alleged HIPAA violations. HHS’ settlement with the hospital also is important because it suggests that HHS may not be very forgiving in one area of particularly high risk: the physical removal of protected health information (PHI) from a covered entity’s premises. To learn more about these developments and their implications for employers, please continue reading at Littler's Workplace Privacy Counsel.

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.