By Cassandra H. Arriaza and Sarah W. Walsh
The stakes are higher than ever before for HIPAA compliance. Enforcement of the Health Insurance Portability and Accountability Act (“HIPAA”) is spread throughout numerous government bodies at the state and federal levels, leaving covered entities vulnerable to a wide scope of investigatory and enforcement actions. Each of these enforcement authorities brings a different approach and different focus to their HIPAA efforts:
- The Office for Civil Rights in the Department of Health and Human Services (“OCR”) can impose civil monetary penalties for HIPAA violations;
- State attorneys general can initiate civil proceedings for injunctive relief on behalf of a state’s citizens; and
- The Department of Justice (“DOJ”) can investigate and treat certain HIPAA violations as criminal offenses.
The differing remedies and corresponding approaches taken by these government bodies complicate the enforcement landscape, particularly with the recent addition of state enforcement. With increasing enforcement by state attorneys general and increasing penalties levied by OCR, HIPAA compliance has become the focus of investigations – no longer merely a backdrop to enforcement investigations.
State Attorneys General Join HIPAA Enforcement Landscape Through Civil Enforcement
State attorneys general have most recently entered the enforcement landscape, having only been given authority to pursue civil actions starting in 2009. Although it is still early to determine how state attorneys general will pursue enforcement, training on HIPAA enforcement offered by OCR for state attorneys general offers some insight. This training program, which was held in four different locations in 2011, was attended by representatives from 45 States and territories and the District of Columbia. Many of the modules focused on background information about HIPAA and the relationship between OCR and state attorneys general. For example, the training explained that pending federal actions take priority over state actions and OCR has a right to be heard in all matters that a state may file regarding HIPAA enforcement.
Most interesting was OCR’s suggestions to state attorneys general about how they may uncover potential HIPAA violations. Some of these methods are similar to those approaches that OCR itself takes—monitoring news outlets, breach reports filed by covered entities, receiving direct complaints, referrals from other agencies. However, OCR also suggested that states may learn of potential violations from whistleblowers or as a part of—or by revisiting—other types of investigations, such as health care fraud, labor and employment cases, or any case that involves health care access and licensure. Thus, in addition to investigating HIPAA problems that are likely already known to the covered entity—perhaps through breach reports or a patient complaint—state attorneys general may also use the threat of HIPAA civil penalties as additional leverage in broader—or even ongoing but unrelated—investigations of covered entities.
New England Takes the Lead in HIPAA Civil Enforcement Actions
Massachusetts followed Connecticut and Vermont as the third state to pursue HIPAA enforcement actions. The Massachusetts investigation followed a data breach that was reported to the Massachusetts Attorney General in July 2010. After receiving a breach report from South Shore Hospital, the Massachusetts Attorney General’s office launched an investigation into the hospital’s practices in handling protected health information. It was determined that the hospital had shipped three boxes containing 473 unencrypted back-up computer tapes to a third-party to be erased and resold, never having informed the third-party that Protected Health Information (“PHI”) was on the disks. Only one of the three boxes arrived at its destination. In May 2012, South Shore Hospital ultimately agreed to pay $750,000 to settle the data breach allegations. In addition, the hospital agreed to take a variety of steps to ensure compliance with HIPAA and agreed to undergo a review and audit of certain security measures.
More recently, on January 7, 2013, the Massachusetts Attorney General reached a settlement with Goldthwait Associates and four pathology groups. Goldthwait Associates, a medical billing practice, improperly disposed of PHI from those four pathology groups, affecting more than 67,000 residents. This first came to the public’s attention in July 2010 when a Boston Globe photographer, who was disposing of his own trash at the Georgetown Transfer Station, observed a large pile of papers, which he determined were medical records. The Massachusetts Attorney General alleged that the four pathology groups violated HIPAA by failing to have appropriate safeguards in place to protect the PHI and by failing to take reasonable steps to select and retain a service provider that would maintain appropriate security measures to protect PHI. As part of the settlement, all five entities collectively agreed to pay $140,000 in civil penalties, attorney fees, and “a data protection fund to support efforts to improve the security and privacy of sensitive health and financial information in Massachusetts.”
With Massachusetts at the forefront of state-based HIPAA enforcement, covered entities can expect that Massachusetts will continue to look for and bring additional HIPAA enforcement actions. Indeed, recent activity from the Massachusetts Attorney General underscores the intent to continue to pursue HIPAA violations. The Massachusetts Attorney General’s Office and the Massachusetts Medical Society held a “first-of-its-kind data privacy training” in October 2012 and January 2013. Additionally, the most recent HIPAA settlement from the Massachusetts Attorney General’s Office also include a contribution to a data protection fund. All of this points to increased HIPAA enforcement on the horizon in Massachusetts.
Monetary Fines Serve As New Enforcement Tool but Improved Compliance Remains the Focus for OCR
OCR also has been stepping up enforcement after it obtained authority to impose civil monetary penalties (“CMPs”) in 2009, but OCR’s focus remains largely on educating covered entities in proper procedures to prevent HIPAA violations, reserving monetary fines for the most serious of violations. Indeed, in 2011, OCR implemented a new audit system that ran through December 2012 to proactively review compliance with HIPAA. Although OCR describes these audits as a “compliance improvement tool” that will be used to determine what types of assistance OCR should develop, OCR has noted that in certain cases, it may elect to open a compliance review as a result of an audit. The future of the audit program will be shaped by evaluation and reports from the first year of audits.
The new audit process is just one of the ways in which OCR obtains information that can lead to an investigation. Other, more typical, sources of information that could result in the start of an OCR investigation include complaints from the public, breach reports filed by covered entities, and privacy and security incidents reported by the media or government agencies.
Two out of three cases investigated by OCR since 2003 have identified a violation and required the covered entity to make changes in privacy and security policies and practices. A majority of those cases have been resolved without CMPs, relying instead on voluntary agreements by the covered entity to take steps required by OCR, which might include revising or developing policies and procedures, training or retraining staff, or sanctioning members of the entity’s workforce. If needed, OCR may even provide “technical assistance” to help the covered entity make the required changes. For example, OCR resolved a complaint of a physician not providing a patient with a medical record by explaining to the physician that nonpayment for services does not permit a covered entity to withhold access to medical records. After OCR gave that explanation—its “technical assistance”—the physician provided the patient with a copy of the medical record, and this voluntary compliance resolved OCR’s investigation.
Increasingly, OCR does not resolve the violation through education and voluntary compliance alone but instead obtains a resolution agreement. Under a resolution agreement, a covered entity enters into a contract with OCR to settle potential violations and implement a corrective action plan. These agreements often include a monetary settlement as well as a period of monitoring or reporting to OCR. From 2008 through mid-January 2013, OCR has entered into eleven resolution agreements, with five of those occurring in 2012 alone.
These increasingly frequent resolution agreements can involve significant monetary settlements. In September 2012, Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (collectively, “MEEI”) paid $1.5 million as part of a resolution agreement. Following a breach report filed by MEEI in 2010 related to the theft of an unencrypted laptop containing PHI, OCR conducted an investigation and concluded that MEEI failed to take certain security steps, particularly relating to the use of portable devices to store confidential protected health information. In addition to paying $1.5 million, MEEI also agreed to a corrective action plan that includes reviewing, revising, and maintaining policies related to the HIPAA Security Rule. MEEI also agreed to have an independent monitor conduct assessments of its compliance with the corrective action plan; the monitor will issue semi-annual reports to OCR for three years. As can be seen with MEEI’s resolution agreement, these agreements not only can be costly but also can have long-term consequences as entities take on additional reporting requirements for a period of time after entering into the resolution agreement.
MEEI’s case follows the February 2011 resolution agreement OCR entered into with Massachusetts General Hospital (“MGH”). The resolution agreement come about as a result of a March 2009 incident where an MGH employee inadvertently left documents containing the PHI of 192 patients on the subway while commuting to work. OCR learned of the breach when an affected patient reported it. OCR’s investigation concluded that MGH failed to take reasonable and appropriate safeguards to protect PHI taken from MGH’s premises. In addition to paying one million dollars as part of the resolution agreement, MGH also agreed to a corrective action plan that required, among other things, the Director of Internal Audit Services of Partners HealthCare Systems to serve as an internal monitor to conduct assessments of MGH’s compliance with the corrective action plan and send semi-annual reports to OCR.
Although Massachusetts-based companies so far have been able to resolve violations through resolution agreements, OCR does have another tool available to address HIPAA violations. When a covered entity refuses to take action to resolve the matter in a manner satisfactory to OCR, OCR will seek CMPs but must first obtain authorization from the U.S. Attorney General. OCR’s first and only CMP to date issued to Cignet Health of Prince George’s County, Maryland (“Cignet”) in 2011. OCR’s investigation into Cignet began when Cignet denied 41 patients access to their requested medical records over a one-year period and each of those patients filed a complaint with OCR. Cignet refused to cooperate with OCR’s investigation, requiring OCR to obtain a subpoena to acquire the medical records. Remarkably, Cignet failed to respond to the subpoena, and OCR obtained a default judgment against Cignet to enforce that subpoena. OCR determined that Cignet’s failure to cooperate with the investigation was due to Cignet’s willful neglect to comply with HIPAA. As a result, OCR imposed a $4.3 million CMP for Cignet’s violations. Because CMP penalties increase with the knowledge of the entity—with the lowest penalties for violations where the entity lacked knowledge and the highest penalties for violations caused by willful neglect that were not corrected—CMP penalties can be expected to continue to be quite high. Not surprisingly, OCR has found that the specter of these CMP fines “have reinvigorated covered entities’ attention to compliance.”
DOJ’s HIPAA Investigations Tend to Be a Smaller Piece of a Larger Investigation
Another road for enforcement is through DOJ prosecution for criminal violations. Although OCR forwards to the FBI all HIPAA complaints or disclosures that involve potential criminal violations, the number of cases OCR refers to DOJ for possible criminal prosecution has been steadily declining since OCR’s enforcement tools were enhanced in 2009. Although over 500 cases have been referred to DOJ since 2003, the number of cases referred has declined in recent years with fewer than 20 referrals a year in 2010 and 2011. It is difficult to say with certainty how many cases related to HIPAA violations are prosecuted by DOJ. This is because the criminal statutes that can be used to prosecute medical privacy cases are varied and cases charging only a violation of HIPAA constitute only a small portion of DOJ’s cases. Although DOJ may not decide to prosecute all cases related to medical privacy, DOJ has noted that it tends to prosecute cases that fall under any one of three fact patterns: records stolen to commit massive fraud, records stolen for purpose of embarrassment, and records stolen for financial fraud. However, these cases are more likely to be brought under different statutes—such as unlawful computer access, conspiracy, or anti-kickback—rather than HIPAA, underscoring the difficulty of identifying the extent to which HIPAA plays into DOJ prosecutions.
Increased Civil Enforcement Calls for Heightened Attention to HIPAA Compliance
There is a continued pattern of DOJ focusing on cases that involve fraud or improper use of protected health information while OCR targets the prevention of disclosure of protected health information by seeking voluntary compliance and improved procedures.
It is less clear where state attorneys general will fit into this framework, but it seems likely that they will develop into significant players in this enforcement field. With increasing interest and activity on the part of state attorneys general and OCR, the potential for HIPAA violations to have costly and long-lasting consequences is increasing. Covered entities must be prepared to not only ensure full compliance with HIPAA through well-crafted and comprehensive written policies but also to vigilantly implement those policies, provide employees with robust training, and prepare an action plan to respond to any policy violations.
Cassandra H. Arriaza and Sarah W. Walsh are associates at LibbyHoopes, P.C. Their clients include organizations and private individuals in many fields, including health care, and their practices focus on white collar criminal defense, internal corporate investigations, and complex civil and administrative litigation.
 United States Department of Health & Human Services, HIPAA Enforcement Training for State Attorneys General, Module 6: Investigating and Prosecuting Potential HIPAA Violations, available at http://www.hhshipaasagtraining.com/module6.php.
 Compare Testimony of Leon Rodriguez, Direct of OCR, before the Senate Committee on the Judiciary, Subcommittee on Privacy, Technology and the Law, Nov. 9, 2011, available at http://www.judiciary.senate.gov/pdf/11-11-9RodriguezTestimony.pdf with United States Department of Health & Human Services, HIPAA Enforcement Training for State Attorneys General, Module 1: State Attorneys General Enforcement of Federal Health Privacy Law, available at http://www.hhshipaasagtraining.com/module1.php.
 Module 1, supra note 2.
 Lisa Pierce Reisz, “State Attorneys General Wade Further Into HIPAA Pool,” HealtHITech Law, Aug. 7, 2012, available at http://www.healthitechlaw.com/2012/08/07/state-attorneys-general-wade-further-into-hipaa-pool/.
 Press Release, Massachusetts Office of the Attorney General, “South Shore Hospital to Pay $750,000 to Settle Data Breach Allegations,” May 24, 2012, available at http://www.mass.gov/ago/news-and-updates/press-releases/2012/2012-05-24-south-shore-hospital-data-breach-settlement.html.
 Press Release, Massachusetts Office of the Attorney General, “Former Owners of Medical Billing Practice, Pathology Groups Agree to Pay $140,000 to Settle Claims that Patients’ Health Information was Disposed of at Georgetown Dump,” January 7, 2013, available at http://www.mass.gov/ago/news-and-updates/press-releases/2013/140k-settlement-over-medical-info-disposed-of-at-dump.html.
 OCR, “HIPAA Privacy & Security Audit Program,” available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html (last visited Jan. 10, 2013).
 Kurt T. Temple, Esq., Deputy Regional Manager Region V, OCR, “An Update from OCR on HIPAA Enforcement,” HIPAA COW 2012 Spring Conference, Apr. 20, 2012, available at http://www.hipaacow.org/Events/Spring%202012/Temple%20Handout.pdf.
 Testimony of Leon Rodriguez, supra note 2.
 Temple, supra note 9.
 U.S. Department of Health and Human Services Office of Civil Rights, Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance for Calendar Years 2009 and 2010, at 14, available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/compliancerept.pdf.
 Testimony of Leon Rodriguez, supra note 2.
 The last resolution agreement of 2012 was completed on December 31 but not widely publicized until January 2, 2013. See Case Examples and Resolution Agreements, OCR, available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html (last visited Jan. 15, 2013).
 Press Release, Department of Health and Human Services, “Massachusetts provider settles HIPAA case for $1.5 million,” Sept. 17, 2012, available at http://www.hhs.gov/news/press/2012pres/09/20120917a.html.
 Press Release, Department of Health and Human Services, “Massachusetts General Hospital settles potential HIPAA violations,” Feb. 24, 2011, available at http://www.hhs.gov/news/press/2011pres/02/20110224b.html.
 Annual Report to Congress, supra note 13; Testimony of Leon Rodriguez, supra note 2.
 Press Release, Department of Health and Human Services, “HHS imposes a $4.3 million civil penalty for violations of the HIPAA Privacy Rule,” Feb. 22, 2011, available at http://www.hhs.gov/news/press/2011pres/02/20110222a.html. See also Case Examples and Resolution Agreements, supra note 15 (listing all CMPs and resolution agreements).
 Temple, supra note 9.
 Testimony of Leon Rodriguez, supra note 2.
 Testimony of Loretta E. Lynch, U.S. Attorney, E.D.N.Y., before the Senate Committee on the Judiciary, Subcommittee on Privacy, Technology, and the Law, Nov. 9, 2011, available at http://www.justice.gov/ola/testimony/112-1/11-09-11-usa-lynch-testimony-re-examination-of-the-enforcement-of-federal-health-information-privacy-laws.pdf.