Posts Tagged: HIPAA

“Should I Tell Someone?” Permissible Disclosures by Massachusetts Health Providers and the Need for Greater Statutory Clarification

By William M. Mandell

In the wake of the recent Newtown shootings and the Boston Marathon bombings, a lingering question for health providers has been whether they ever have a duty, or the option, to disclose information derived from patient encounters if that information could help prevent an attack or a violent crime, help apprehend a suspect, or solve a criminal investigation.

Health care lawyers are frequently confronted with questions from hospitals, physicians and other providers about how to navigate and apply the conflicting legal and ethical duties to maintain and protect patient privacy rights but also to protect third parties and the general public from harm. Can medical groups proactively report to the police that a patient is mentally unstable and may have access to guns? May hospitals release information about victims of an attack to the police without consent?

This article summarizes current federal and Massachusetts law on the circumstances in which Massachusetts health care providers are authorized to share patient information with law enforcement and public safety personnel and agencies, notwithstanding patient privacy laws. This article also identifies some shortcomings under current Massachusetts law, and proposes a legislative solution to the confusion between HIPAA and a lack of clarity under existing applicable Massachusetts law.

A. Federal HIPAA Privacy Rule

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule  established by the Office of Civil Rights (“OCR”) of the United States Department of Health and Human Services (“HHS”) does identify a variety of permissible urgent situations in which a health care provider may disclose patient health information.

Notwithstanding this fact, since the effective date of the HIPAA Privacy Rule in 2003, providers have had a greater reluctance to talk or report facts to law enforcement, either because of a failure to properly understand or apply HIPAA or a fear of liability.

Criminal and civil penalties can be imposed on both individuals and organizations under HIPAA for impermissible disclosures, but there are no such statutory penalties for failing to make disclosures to law enforcement or government agencies that HIPAA authorizes. Additionally, many states, including Massachusetts, have very strong and broadly established patient privacy rights over additionally protected areas of sensitive information but less clearly delineated exceptions for disclosures without patient consent for public safety and law enforcement reasons.Although it establishes a minimum level of privacy rights under federal law, the HIPAA Privacy Rule does not pre-empt any state laws that grant greater protections over patient health information. Thus, health lawyers must help provider clients harmonize the application of a HIPAA provision with a state law that may be more protective of patient health information.For example, HIPAA permits a hospital to release a patient record including HIV test results or psychiatric treatment communications upon a subpoena alone and without written patient authorization or a court order, if the discovering party can show it has meet certain procedural requirements ensuring that proper notice has been given to the patient’s counsel and no objections or motions for protective orders have been filed. However, Massachusetts statutes covering HIV test results or psychiatric treatment communications  – more protective of patient rights and thus not pre-empted by HIPAA – require the presentation of either a written patient consent or a court order before that portion of a patient record may be disclosed.

OCR, in the Privacy Rule, attempted to strike the right balance between patient privacy and the need to protect public safety, and in doing so permits the use and disclosure of protected health information, without an individual’s authorization or permission, for twelve national priority purposes. OCR has noted that these disclosures are permitted, although not required, by the Privacy Rule in recognition of the important uses made of health information outside of the health care context. For each public interest purpose, OCR included specific conditions or limitations in the Privacy Rule to strike the right balance between the individual privacy interest and the public interest need for such information.

Among these 12 national priority purposes, the HIPAA Privacy Rule permits non-patient consented disclosures in the following circumstances:

  • To assist law enforcement in certain extreme situations
  • To avert serious threats to health or public safety
  • To protect national security
  • To protect the public health

          1. Assist Law Enforcement

HIPAA permits providers to disclose patient health information without permission from the patient for a law enforcement purpose to a law enforcement official in the following situations:

Providers can disclose health information to comply with federal or state reporting laws, including laws that require the reporting of certain types of wounds or other physical injuries.

In response to a law enforcement official’s request for information for the purpose of identifying or locating a suspect, fugitive, material witness, missing person, a provider may disclose the following:

(1) Name and address;

(2) Date and place of birth;

(3) Social security number;

(4) ABO blood type and rh factor;

(5) Type of injury;

(6) Date and time of treatment;

(7) Date and time of death, if applicable; and

(8) A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars, and tattoos.

However, DNA or DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue can only be released upon issuance of a court order, warrant, or written administrative request.

In response to a law enforcement official’s request for patient information about an individual who is or is suspected to be a victim of a crime if the individual is incapacitated, or there  are other emergency circumstance, as long as:

(A) The law enforcement official represents that such information is needed to determine whether a violation of law by a person, other than the victim, has occurred, and such information is not intended to be used against the victim;

(B) The law enforcement official represents that immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and

(C) The disclosure is in the best interests of the individual as determined by the provider, in the exercise of professional judgment.

          2. To Avert Serious Threats to Health or Public Safety

The HIPAA Privacy Rule also permits providers, acting consistent with applicable law and standards of ethical conduct, to disclose patient health information without consent where the provider in good faith believes the use or disclosure:

Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and is to a recipient reasonably able to prevent or lessen the threat, including the target of the threat; or

Is necessary for law enforcement authorities to identify or apprehend an individual:

(A) Because of a statement by an individual admitting participation in a violent crime that the provider reasonably believes may have caused serious physical harm to the victim; or

(B) Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody.

The information provided must not be more than what meets the minimum necessary standard. For purposes of identifying or apprehending an individual, the information authorized to be disclosed is limited to the same eight basic identifying items that can be disclosed in response to a law enforcement official’s request for information for the purpose of identifying or locating a suspect, fugitive, material witness, missing person.

HIPAA presumes that the disclosing provider in these instances has acted in good faith with regard to the belief of the necessity for such public safety disclosures.

          3. National Security and Intelligence Activities

Providers may also disclose protected health information to authorized federal officials under the HIPAA Privacy Rule for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act and implementing authority.  Those activities can include efforts to create counter-terrorism intelligence databases, including health records.  Thus, the reporting of possible or suspected terrorists or terrorist activity by a provider is not necessarily prohibited under HIPAA and a provider meeting the minimally necessary standard could share its suspicions with federal and state law enforcement agencies without violating the HIPAA. The bigger question is whether such a disclosure would run afoul of more protective state laws protecting patient privacy, and whether a provider could be subject to a lawsuit for invasion of privacy or patient rights under Massachusetts law.

          4. Public Health Protection

The HIPAA Privacy Rule also allows unauthorized disclosures of protected health information to public health authorities to carry out their mission to protect the public’s health and safety.

The Privacy Rule permits – but does not require – providers to disclose protected health information, without authorization, to public health authorities who are legally authorized to receive such reports for a variety of widely accepted public health functions such as: the reporting of a disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions. Also, covered entities may, at the direction of a public health authority, disclose protected health information to a foreign government agency that is acting in collaboration with a public health authority.  Covered entities who are also a public health authority may use, as well as disclose, protected health information for these public health purposes.

Generally, covered entities are required reasonably to limit the protected health information disclosed for public health purposes to the minimum amount necessary to accomplish the public health purpose. However, covered entities are not required to make a minimum necessary determination for public health disclosures that are made pursuant to an individual’s authorization, or for disclosures that are required by other law.  Since most public health disclosures are made by providers under specific mandatory reporting laws established by both federal and state agencies the minimum necessary rule under HIPAA is often not applicable when a provider is fulfilling a mandatory reporting obligation. Furthermore, the HIPAA Privacy Rule also allows covered entities to reasonably rely on a minimum necessary determination made by the public health authority when it initiates a request for protected health information.

Permissible public health disclosures under HIPAA also cover mandatory or suggested disclosures to authorized third parties who have a need to know, such as to the police in the case of known or suspected abuse or neglect of children or the elderly, or victims of domestic violence or rape. Similarly, if state law allows providers to warn third parties of exposure to a communicable disease HIPAA also allows the same disclosure as necessary to carry out public health interventions or investigations to prevent or control the spread of the disease.

B. New OCR Guidance

Following the Newtown tragedy, the HHS Office of Civil Rights published a letter to the nation’s healthcare providers in January, 2013 to make them aware of their ability under HIPAA to disclose information and their ethical “duty to warn” when they believe a patient poses a serious and imminent threat.

The OCR letter clarifies that the HIPAA Privacy Rule permits disclosure when a health care provider believes in good faith that a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others.  If the disclosure is made consistent with applicable law and standards of ethical conduct, the provider may alert those persons whom the provider believes are reasonably able to prevent or lessen the threat. The provider is presumed to have such a good faith belief when the provider warns and discloses upon obtaining actual knowledge of facts from interaction with the patient or in reliance on a credible representation by a person with apparent knowledge or authority, such as a friend or family member of the patient.

The OCR letter further states that a health care provider may disclose patient information, including information from mental health records, to law enforcement, family members of the patient, or any other persons who may reasonably be able to prevent or lessen the risk of harm.

Thus, if a mental health professional has a patient who has made a credible threat to inflict serious and imminent bodily harm on one or more persons, HIPAA permits the mental health professional to alert the police, a parent or other family member or others who may be able to intervene to avert harm from the threat.

Such disclosures are not only permitted by HIPAA, but are also advisable under state tort laws following the duty to warn standard  first recognized by the 1974 California Supreme Court in Tarasoff v. the Regents of the University of California. Tarasoff established a common law duty upon health care providers to warn potential victims and the authorities, notwithstanding patient privacy rights, when an individual makes a credible threat of violence.  The Tarasoff rule can be best summarized in its most often quoted passage: “The protective privilege ends where the public peril begins . . . .”

C. Massachusetts Law on Patient Privacy and Disclosure

In sharp contrast, the scope of permitted disclosures to warn third parties or avert possible imminent harm to possible victims is more limited under Massachusetts law. Furthermore, Massachusetts law articulates very stringent privacy and confidentiality protection and duties to maintain patient confidentiality, with only a handful of stated exceptions related to public safety. Unlike other state’s patient privacy laws, Massachusetts does not have a single comprehensive statutory act governing all facets of health care information confidentiality and permitted disclosure.  Instead, the law of patient privacy and confidentiality in Massachusetts is comprised of a patchwork of different sources: constitutional, statutory, common law, and a variety of state agency regulations.

Generally, the right of privacy in Massachusetts is either implicitly or explicitly recognized and protected under the state constitution, Opinion of Justices, 375 Mass. 795, 806-9 (1978), by common law, Commonwealth v. Wiseman, 356 Mass. 251 (1969), and by statute.  Massachusetts Gen. Laws c. 214, § 1B provides for a general right to privacy (“[a] person shall have a right against unreasonable, substantial or serious interference with his privacy”) and authorizes a civil tort action to recover damages for any interference with that privacy right.

Specific to health information, Mass. Gen. Laws c. 111, §§  70 and 70E (the “Massachusetts Patient’s Bill of Rights”), and Mass. Gen. Laws c. 112 § 12CC , and a variety of other statutes and licensing board regulations, establish the right of patients of  Massachusetts hospitals, licensed facility, physicians and other practitioners to the confidentiality of all records and communications.

In addition, the Massachusetts Supreme Judicial Court has ruled that physicians have an affirmative duty to maintain the confidentiality of patients’ medical information, and a breach of patient confidentiality can result in tort liability for the physician as well as the discovering party.  Alberts v. Devine, 395 Mass. 508 (1985).

The Massachusetts Legislature has also implicitly recognized the general legal and ethical obligation not to release medical information without patient consent by enacting several statutes establishing qualified evidentiary privileges protecting certain medical information and by authorizing and immunizing particular non-consensual disclosures.  These statutes (and the cases interpreting them) comprise the body of medical information confidentiality laws in Massachusetts.

Generally, absent written patient consent or an appropriate court order or subpoena, Massachusetts health providers are not explicitly permitted to divulge medical information to the police or other law enforcement agencies.

 Under the Massachusetts statutory version of the Tarasoff  rule, Mass. Gen. Laws c. 123, § 36B, licensed mental health professionals have a professional duty to take reasonable precautions to warn or protect a potential victim or victims of a patient (and are granted immunity against invasion of privacy claims) in the following circumstances:

The patient has communicated to the licensed mental health professional an explicit threat to kill or inflict serious bodily injury upon a reasonably identified victim or victims and the patient has an apparent intent and ability to carry out the threat or,

The patient has a history of physical violence which is known to the practitioner and the practitioner has a reasonable basis to believe that there is a clear and present danger that the patient will attempt to kill or inflict serious bodily injury against a reasonably identifiable victim or victims.

In such instances, licensed mental health professionals are authorized to disclose confidential patient communications by taking one or more of the following reasonable precautions:

Communicate the threat to the reasonably identified victim or victims;

Notify the appropriate law enforcement agency in the vicinity where the patient or potential victim resides;

Arrange for voluntary hospitalization, or initiates proceedings for involuntary commitment.

In situations where Massachusetts providers, other than a mental health practitioner, believe that failure to disclose patient information will result in serious danger to the patient or others, they have tended to make the disclosure. Even without explicit statutory authority these disclosures are usually made by hospitals, physicians and other non-psychotherapist providers from a risk management and general common law standpoint to disclose limited information to prevent serious and imminent danger. The Massachusetts Supreme Judicial Court has recognized a “serious danger exception” to a physician’s common law duty to maintain patient confidentiality.

Massachusetts providers have generally disclosed only that information necessary to prevent serious danger, but there have been many instances where police departments, hospitals and other providers have disputed whether and to what extent such disclosures are allowed without a court order or written patient authorization.

While the right of privacy is not absolute under Massachusetts law and it is the unreasonable interference that is actionable, the specific statutory exceptions for mandatory reporting (e.g. bullet wounds) and permissible public safety disclosure are confusing under the variety of applicable Massachusetts legal sources, and as noted above beyond psychotherapists are not governed explicitly by a state statutory exception for hospitals and physicians to report instances of serious and imminent danger and granting them immunity for doing so.

D. Recent Tragic Events Should Compel Massachusetts to Take Legislative Action

Massachusetts is in need of comprehensive, consolidated legislation on the balance between patient privacy rights and permissible and necessary limited disclosures to protect the public.   Such legislation should contain explicit statutory provisions applicable to all classes of providers, in order to delineate and provide clear guidance on what type of public safety disclosures are permitted, and in what circumstances.

The Massachusetts Legislature could ease the confusion among providers and lessen the risk of future preventable tragedies by having Massachusetts law adopt and follow the permissible HIPAA public safety exceptions described above, and grant immunity under state law for providers who follow these HIPAA permissive disclosures. HIPAA’s limited pre-emption of state law still leaves it to state governments to identify when they want to be more protective of patient rights and limit disclosures that may be otherwise permitted under HIPAA   Providers in Massachusetts would be better served by such a state statute law, as it would diminish the current uncertainty and case-by-case effort hospitals, medical practices and other providers must regularly engage in when they balance their legal and ethical duties to patients against the safety of the general public.


Bill Mandell is a founding member and co-managing partner of Pierce & Mandell, P.C.. He represents health care providers in regulatory and transactional matters, including practice start-ups, buy-ins and buy-outs, hospital-physician relationships, risk management, professional contracts and regulatory compliance. He also represents non-profit organizations, corporate executives, start-ups, and small and family businesses.  He serves frequently as a neutral hearing officer and advisor to medical staff hearing panels for medical staff disciplinary action and peer review appeals.

HIPAA Enforcement Trends: Growing Civil Enforcement

By Cassandra H. Arriaza and Sarah W. Walsh

The stakes are higher than ever before for HIPAA compliance.  Enforcement of the Health Insurance Portability and Accountability Act (“HIPAA”) is spread throughout numerous government bodies at the state and federal levels, leaving covered entities vulnerable to a wide scope of investigatory and enforcement actions.  Each of these enforcement authorities brings a different approach and different focus to their HIPAA efforts:

  • The Office for Civil Rights in the Department of Health and Human Services (“OCR”) can impose civil monetary penalties for HIPAA violations;
  • State attorneys general can initiate civil proceedings for injunctive relief on behalf of a state’s citizens; and
  • The Department of Justice (“DOJ”) can investigate and treat certain HIPAA violations as criminal offenses.

The differing remedies and corresponding approaches taken by these government bodies complicate the enforcement landscape, particularly with the recent addition of state enforcement.  With increasing enforcement by state attorneys general and increasing penalties levied by OCR, HIPAA compliance has become the focus of investigations – no longer merely a backdrop to enforcement investigations.

State Attorneys General Join HIPAA Enforcement Landscape Through Civil Enforcement

State attorneys general have most recently entered the enforcement landscape, having only been given authority to pursue civil actions starting in 2009.  Although it is still early to determine how state attorneys general will pursue enforcement, training on HIPAA enforcement offered by OCR for state attorneys general offers some insight.  This training program, which was held in four different locations in 2011, was attended by representatives from 45 States and territories and the District of Columbia.  Many of the modules focused on background information about HIPAA and the relationship between OCR and state attorneys general.  For example, the training explained that pending federal actions take priority over state actions and OCR has a right to be heard in all matters that a state may file regarding HIPAA enforcement.[1]

Most interesting was OCR’s suggestions to state attorneys general about how they may uncover potential HIPAA violations.  Some of these methods are similar to those approaches that OCR itself takes—monitoring news outlets, breach reports filed by covered entities, receiving direct complaints, referrals from other agencies.[2]  However, OCR also suggested that states may learn of potential violations from whistleblowers or as a part of—or by revisiting—other types of investigations, such as health care fraud, labor and employment cases, or any case that involves health care access and licensure.[3]  Thus, in addition to investigating HIPAA problems that are likely already known to the covered entity—perhaps through breach reports or a patient complaint—state attorneys general may also use the threat of HIPAA civil penalties as additional leverage in broader—or even ongoing but unrelated—investigations of covered entities.

New England Takes the Lead in HIPAA Civil Enforcement Actions

Massachusetts followed Connecticut and Vermont as the third state to pursue HIPAA enforcement actions.[4]   The Massachusetts investigation followed a data breach that was reported to the Massachusetts Attorney General in July 2010.  After receiving a breach report from South Shore Hospital, the Massachusetts Attorney General’s office launched an investigation into the hospital’s practices in handling protected health information.  It was determined that the hospital had shipped three boxes containing 473 unencrypted back-up computer tapes to a third-party to be erased and resold, never having informed the third-party that Protected Health Information (“PHI”) was on the disks.  Only one of the three boxes arrived at its destination.  In May 2012, South Shore Hospital ultimately agreed to pay $750,000 to settle the data breach allegations.  In addition, the hospital agreed to take a variety of steps to ensure compliance with HIPAA and agreed to undergo a review and audit of certain security measures.[5]

More recently, on January 7, 2013, the Massachusetts Attorney General reached a settlement with Goldthwait Associates and four pathology groups.  Goldthwait Associates, a medical billing practice, improperly disposed of PHI from those four pathology groups, affecting more than 67,000 residents.  This first came to the public’s attention in July 2010 when a Boston Globe photographer, who was disposing of his own trash at the Georgetown Transfer Station, observed a large pile of papers, which he determined were medical records.  The Massachusetts Attorney General alleged that the four pathology groups violated HIPAA by failing to have appropriate safeguards in place to protect the PHI and by failing to take reasonable steps to select and retain a service provider that would maintain appropriate security measures to protect PHI.  As part of the settlement, all five entities collectively agreed to pay $140,000 in civil penalties, attorney fees, and “a data protection fund to support efforts to improve the security and privacy of sensitive health and financial information in Massachusetts.”[6]

With Massachusetts at the forefront of state-based HIPAA enforcement, covered entities can expect that Massachusetts will continue to look for and bring additional HIPAA  enforcement actions.  Indeed, recent activity from the Massachusetts Attorney General underscores the intent to continue to pursue HIPAA violations.  The Massachusetts Attorney General’s Office and the Massachusetts Medical Society held a “first-of-its-kind data privacy training” in October 2012 and January 2013.  Additionally, the most recent HIPAA settlement from the Massachusetts Attorney General’s Office also include a contribution to a data protection fund.[7]  All of this points to increased HIPAA enforcement on the horizon in Massachusetts.

Monetary Fines Serve As New Enforcement Tool but Improved Compliance Remains the Focus for OCR

OCR also has been stepping up enforcement after it obtained authority to impose civil monetary penalties (“CMPs”) in 2009, but OCR’s focus remains largely on educating covered entities in proper procedures to prevent HIPAA violations, reserving monetary fines for the most serious of violations.  Indeed, in 2011, OCR implemented a new audit system that ran through December 2012 to proactively review compliance with HIPAA.[8]  Although OCR describes these audits as a “compliance improvement tool” that will be used to determine what types of assistance OCR should develop, OCR has noted that in certain cases, it may elect to open a compliance review as a result of an audit.[9]  The future of the audit program will be shaped by evaluation and reports from the first year of audits.

The new audit process is just one of the ways in which OCR obtains information that can lead to an investigation.  Other, more typical, sources of information that could result in the start of an OCR investigation include complaints from the public, breach reports filed by covered entities, and privacy and security incidents reported by the media or government agencies.[10]

Two out of three cases investigated by OCR since 2003 have identified a violation and required the covered entity to make changes in privacy and security policies and practices.[11]  A majority of those cases have been resolved without CMPs, relying instead on voluntary agreements by the covered entity to take steps required by OCR, which might include revising or developing policies and procedures, training or retraining staff, or sanctioning members of the entity’s workforce.[12]  If needed, OCR may even provide “technical assistance” to help the covered entity make the required changes.  For example, OCR resolved a complaint of a physician not providing a patient with a medical record by explaining to the physician that nonpayment for services does not permit a covered entity to withhold access to medical records.  After OCR gave that explanation—its “technical assistance”—the physician provided the patient with a copy of the medical record, and this voluntary compliance resolved OCR’s investigation.[13]

Increasingly, OCR does not resolve the violation through education and voluntary compliance alone but instead obtains a resolution agreement.  Under a resolution agreement, a covered entity enters into a contract with OCR to settle potential violations and implement a corrective action plan.  These agreements often include a monetary settlement as well as a period of monitoring or reporting to OCR.[14]  From 2008 through mid-January 2013, OCR has entered into eleven resolution agreements, with five of those occurring in 2012 alone.[15]

These increasingly frequent resolution agreements can involve significant monetary settlements.  In September 2012, Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (collectively, “MEEI”) paid $1.5 million as part of a resolution agreement.  Following a breach report filed by MEEI in 2010 related to the theft of an unencrypted laptop containing PHI, OCR conducted an investigation and concluded that MEEI failed to take certain security steps, particularly relating to the use of portable devices to store confidential protected health information.  In addition to paying $1.5 million, MEEI also agreed to a corrective action plan that includes reviewing, revising, and maintaining policies related to the HIPAA Security Rule.  MEEI also agreed to have an independent monitor conduct assessments of its compliance with the corrective action plan; the monitor will issue semi-annual reports to OCR for three years.[16]  As can be seen with MEEI’s resolution agreement, these agreements not only can be costly but also can have long-term consequences as entities take on additional reporting requirements for a period of time after entering into the resolution agreement.

MEEI’s case follows the February 2011 resolution agreement OCR entered into with Massachusetts General Hospital (“MGH”).  The resolution agreement come about as a result of a March 2009 incident where an MGH employee inadvertently left documents containing the PHI of 192 patients on the subway while commuting to work.  OCR learned of the breach when an affected patient reported it.  OCR’s investigation concluded that MGH failed to take reasonable and appropriate safeguards to protect PHI taken from MGH’s premises.  In addition to paying one million dollars as part of the resolution agreement, MGH also agreed to a corrective action plan that required, among other things, the Director of Internal Audit Services of Partners HealthCare Systems to serve as an internal monitor to conduct assessments of MGH’s compliance with the corrective action plan and send semi-annual reports to OCR.[17]

Although Massachusetts-based companies so far have been able to resolve violations through resolution agreements, OCR does have another tool available to address HIPAA violations.  When a covered entity refuses to take action to resolve the matter in a manner satisfactory to OCR, OCR will seek CMPs but must first obtain authorization from the U.S. Attorney General.[18]  OCR’s first and only CMP to date issued to Cignet Health of Prince George’s County, Maryland (“Cignet”) in 2011.  OCR’s investigation into Cignet began when Cignet denied 41 patients access to their requested medical records over a one-year period and each of those patients filed a complaint with OCR.  Cignet refused to cooperate with OCR’s investigation, requiring OCR to obtain a subpoena to acquire the medical records.  Remarkably, Cignet failed to respond to the subpoena, and OCR obtained a default judgment against Cignet to enforce that subpoena.  OCR determined that Cignet’s failure to cooperate with the investigation was due to Cignet’s willful neglect to comply with HIPAA.  As a result, OCR imposed a $4.3 million CMP for Cignet’s violations.[19]  Because CMP penalties increase with the knowledge of the entity—with the lowest penalties for violations where the entity lacked knowledge and the highest penalties for violations caused by willful neglect that were not corrected[20]—CMP penalties can be expected to continue to be quite high.  Not surprisingly, OCR has found that the specter of these CMP fines “have reinvigorated covered entities’ attention to compliance.”[21]

DOJ’s HIPAA Investigations Tend to Be a Smaller Piece of a Larger Investigation

Another road for enforcement is through DOJ prosecution for criminal violations.  Although OCR forwards to the FBI all HIPAA complaints or disclosures that involve potential criminal violations, the number of cases OCR refers to DOJ for possible criminal prosecution has been steadily declining since OCR’s enforcement tools were enhanced in 2009.  Although over 500 cases have been referred to DOJ since 2003, the number of cases referred has declined in recent years with fewer than 20 referrals a year in 2010 and 2011.  It is difficult to say with certainty how many cases related to HIPAA violations are prosecuted by DOJ.  This is because the criminal statutes that can be used to prosecute medical privacy cases are varied and cases charging only a violation of HIPAA constitute only a small portion of DOJ’s cases.  Although DOJ may not decide to prosecute all cases related to medical privacy, DOJ has noted that it tends to prosecute cases that fall under any one of three fact patterns: records stolen to commit massive fraud, records stolen for purpose of embarrassment, and records stolen for financial fraud.[22]  However, these cases are more likely to be brought under different statutes—such as unlawful computer access, conspiracy, or anti-kickback—rather than HIPAA, underscoring the difficulty of identifying the extent to which HIPAA plays into DOJ prosecutions.

Increased Civil Enforcement Calls for Heightened Attention to HIPAA Compliance

There is a continued pattern of DOJ focusing on cases that involve fraud or improper use of protected health information while OCR targets the prevention of disclosure of protected health information by seeking voluntary compliance and improved procedures.

It is less clear where state attorneys general will fit into this framework, but it seems likely that they will develop into significant players in this enforcement field.  With increasing interest and activity on the part of state attorneys general and OCR, the potential for HIPAA violations to have costly and long-lasting consequences is increasing.  Covered entities must be prepared to not only ensure full compliance with HIPAA through well-crafted and comprehensive written policies but also to vigilantly implement those policies, provide employees with robust training, and prepare an action plan to respond to any policy violations.

Cassandra H. Arriaza and Sarah W. Walsh are associates at LibbyHoopes, P.C. Their clients include organizations and private individuals in many fields, including health care, and their practices focus on white collar criminal defense, internal corporate investigations, and complex civil and administrative litigation.

[1] United States Department of Health & Human Services, HIPAA Enforcement Training for State Attorneys General, Module 6: Investigating and Prosecuting Potential HIPAA Violations, available at

[2] Compare Testimony of Leon Rodriguez, Direct of OCR, before the Senate Committee on the Judiciary, Subcommittee on Privacy, Technology and the Law, Nov. 9, 2011, available at with United States Department of Health & Human Services, HIPAA Enforcement Training for State Attorneys General, Module 1: State Attorneys General Enforcement of Federal Health Privacy Law, available at

[3] Module 1, supra note 2.

[4] Lisa Pierce Reisz, “State Attorneys General Wade Further Into HIPAA Pool,” HealtHITech Law, Aug. 7, 2012, available at

[5] Press Release, Massachusetts Office of the Attorney General, “South Shore Hospital to Pay $750,000 to Settle Data Breach Allegations,” May 24, 2012, available at

[6] Press Release, Massachusetts Office of the Attorney General, “Former Owners of Medical Billing Practice, Pathology Groups Agree to Pay $140,000 to Settle Claims that Patients’ Health Information was Disposed of at Georgetown Dump,” January 7, 2013, available at

[7] Id.

[8] OCR, “HIPAA Privacy & Security Audit Program,” available at (last visited Jan. 10, 2013).

[9] Kurt T. Temple, Esq., Deputy Regional Manager Region V, OCR, “An Update from OCR on HIPAA Enforcement,” HIPAA COW 2012 Spring Conference, Apr. 20, 2012, available at

[10] Testimony of Leon Rodriguez, supra note 2.

[11] Temple, supra note 9.

[12] Id.

[13] U.S. Department of Health and Human Services Office of Civil Rights, Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance for Calendar Years 2009 and 2010, at 14, available at

[14] Testimony of Leon Rodriguez, supra note 2.

[15] The last resolution agreement of 2012 was completed on December 31 but not widely publicized until January 2, 2013.  See Case Examples and Resolution Agreements, OCR, available at (last visited Jan. 15, 2013).

[16] Press Release, Department of Health and Human Services, “Massachusetts provider settles HIPAA case for $1.5 million,” Sept. 17, 2012, available at

[17] Press Release, Department of Health and Human Services, “Massachusetts General Hospital settles potential HIPAA violations,” Feb. 24, 2011, available at

[18] Annual Report to Congress, supra note 13; Testimony of Leon Rodriguez, supra note 2.

[19] Press Release, Department of Health and Human Services, “HHS imposes a $4.3 million civil penalty for violations of the HIPAA Privacy Rule,” Feb. 22, 2011, available at See also Case Examples and Resolution Agreements, supra note 15 (listing all CMPs and resolution agreements).

[20] Temple, supra note 9.

[21] Testimony of Leon Rodriguez, supra note 2.

[22] Testimony of Loretta E. Lynch, U.S. Attorney, E.D.N.Y., before the Senate Committee on the Judiciary, Subcommittee on Privacy, Technology, and the Law, Nov. 9, 2011, available at